The compliance conundrum: facing regulation in the Covid era

The compliance conundrum: facing regulation in the Covid era
(Image credit: Shutterstock)

Changes to our working practices have been accelerated in recent months, as businesses looked to fast-track digital transformation projects – some of which would have previously taken years to come into fruition. It has been widely reported that this dramatic shift to home working has challenged IT management teams to adapt, as businesses rapidly adopt remote capabilities such as cloud computing. Put simply, in recent months, the focus was on getting things running efficiently as companies adapted to the lockdown.

About the author

Rob Elliss is Vice President of Sales, EMEA – Digital Identity and Security at Thales.

As we look to 2021, and this remote working lifestyle becomes permanent, many organizations such as the traditionally “bricks and mortar” companies which may have rushed digital transformation projects, will need to match these remote working capabilities with new cybersecurity practices and standards.

The security risk rose for many companies as they started to set up their employees outside of the office, with many allowing personal devices to be used for work. This is because organizations have been forced to allow employees to access data outside of the core network – effectively widening the attack surface for hackers. This comes at a time when businesses have never been under more scrutiny to protect customer data. Regulations like GDPR have given extended rights back to customers about what data companies can hold and put the responsibility firmly at the business’ door to protect it.

Ultimately, it means that, at a time when many businesses are just trying to survive, they cannot afford to forget about their responsibilities when it comes to regulatory compliance and security. A data breach could have wide ranging affects, not just on losing potentially vital data, but suffering losses of revenue through reputational damage and fines. With this landscape constantly changing, what are the key developments within the world of compliance that are expected to shape how businesses collect, store and share personal data, heading into 2021?

Keeping up with the compliance

The biggest news from a compliance point of view came five months ago. A ruling from the European Court of Justice (CJEU) on the so-called ‘Schrems II’ case in July, ruled that Privacy Shield did not comply with its citizens’ privacy rights. It created serious issues for companies that transfer data from the EU into the US, effectively no longer protecting against liability over those data transfer.

Uncertainty was still an issue until recently too, when the European Protection Board (EDPR) finally adopted recommendations on the supplementary measures following the ruling. It emphasized the need for due diligence when transferring personal data beyond the remit of the European Economic Area (EEA). Global companies operating across these state boundaries must now seriously consider how they can prove compliance to evolving sets of regulations, including GDPR. For instance, companies headquartered in the US must adapt to the CJEU’s decision to revoke the transfer of personal data – a major shift considering more than half of Europe’s data (and about half of US data) flows globally.

The issue of Brexit makes this subject even more complicated. As the Brexit transition period ended on December 31, 2020, the UK is no longer part of the EU and the EEA. It means no free flow of data from the EU to the UK. However, the Trade and Cooperation Agreement (TCA) has suspended this position for four to six months, enabling that flow of data while the European Commission conducts its adequacy assessment of the UK. While it remains to be seen what this assessment involves, companies in the UK must not assume one will be granted and have supplementary measures in place in order to continue with data transfer from EEA to the UK.

Ultimately, this means any UK company holding EU citizen data must ensure it is protected and stored correctly to EU Standards to comply. To do this, CISOs must first prioritize investment in encryption to protect the data at rest and in transit. On top of this, the control over the data must reside within the EEA itself, as the EU dictates.

Encryption at the heart of compliance

The most successful organizations during the pandemic have been the ones that remained agile, ready to adapt to constantly changing demands. It’s clear that the only way to achieve such an ability to adapt is through long-term business planning – and the same logic applies to the arena of compliance. With the challenges presented by home working made even more complex by the ongoing political and regulatory shifts, organizations must ensure that they are as flexible and transparent as possible, while making sure that security steps are understandable, accessible and easy to use for all employees.

Particularly, businesses must be prepared to take steps to encrypt data at rest, specifically personal identifiable information of customers, which can be targeted by hackers. Working with a security partner, wherever necessary, a solution should be employed which enables data to be quickly encrypted, while ensuring that the personal data is collected and stored in a transparent and scalable way. Essentially, it is vital that any system that’s integrated doesn’t disrupt the experience for employees or customers.

Additionally, it is key that data is protected in transit too, encrypting sensitive data prior to transferring it and using encrypted connections, such as HTTPS. In fact, it is now required within the EU for companies to take these steps, as it is the responsibility of the company transferring the data out of the EEA to make sure it is in line with private data and security regulations. Due to the widely distributed workforce, as a result of lockdowns and social distancing, it is becoming increasingly necessary to self-audit and ensure you are in line with the latest regulations. With companies transferring data at an exponential rate, often across EEA and non-EEA boundaries, they need to check and double-check that this data is protected.

It’s about achieving a level of flexibility, deployed across physical, virtual, and cloud data environments, while building in the necessary security protections to remain compliant with evolving European regulations. With this in mind, steps should be made, firstly, to integrate these familiar processes, unify all your data security requirements, and maintain control of your encryption keys.

Unfortunately, though, it is inevitable that some companies will face data breaches and leaks, even if we can put in place measures to mitigate against these. With regulators continuing to set the agenda around data privacy, and businesses continuing to adapt to a new way of working that inherently brings more risk, ensuring customers are protected with the highest level of privacy rights is vital. As a result, it is increasingly essential that businesses can prove they have taken all the right precautions. Otherwise, all the hard work and investment in fighting to recover from Covid-19 could see businesses being hit with sizeable fines and long-term reputational damage that they may never bounce back from.

Rob Elliss is Vice President of Sales, EMEA – Digital Identity and Security at Thales.