Core security measures to strengthen privacy and data protection programs

As privacy laws evolve globally, organizations face increasing complexity in adapting their data protection strategies to stay compliant. In this Help Net Security interview, Kabir Barday, CEO at OneTrust, emphasizes that embracing privacy by design enables organizations to navigate compliance challenges.

As privacy laws evolve globally, adapting data protection strategies to stay compliant becomes increasingly complex. How can organizations navigate this complexity, especially when faced with conflicting legal requirements from different jurisdictions?

There are now 18 comprehensive state privacy laws enacted across the United States, as well as a proposed federal law. The regulatory landscape is incredibly dynamic and shows no sign of stopping, with 4,500 critical regulatory updates across the globe annually, or roughly 12 per day. Many companies today respond to new regulations as they go into effect, but this ad-hoc, reactive approach is inefficient and makes it difficult to keep up with a multitude of laws and differing requirements.

A more sustainable, effective, and proactive approach to data privacy compliance is privacy by design. This is achieved by embedding privacy protection into the very fabric of technology, products, and services. With the goal being more than just compliance, privacy by design prioritizes and respects user privacy throughout the entire development and implementation process. Embracing this approach enables organizations to stay ahead of evolving data privacy regulations and navigate new and changing regulations far more efficiently.

Many CISOs struggle with budget limitations when meeting compliance regulations. Given these challenges, what strategies can be implemented to advocate for increased funding for security and privacy programs?

Securing additional budget for security and privacy programs can be challenging when it’s viewed as a regulatory burden and cost-center, rather than a strategic investment. To overcome this, my advice to CISOs is to demonstrate the value of compliance through metrics and benchmarking, and emphasize its strategic importance by aligning with business objectives.

For example, CISOs can align compliance initiatives with the organization’s data activation initiatives, enabling the strategic use of data. Supporting data enablement across the organization, while providing controls for them to govern data use across the data estate, will help to unlock the value of data. As a result, meeting the regulatory requirements is much easier.

In an era where data is as valuable as currency, investing in compliance technology is investing in the future. It’s not just about meeting legal obligations, but also gaining a competitive advantage in a privacy-focused market and gaining the valuable trust of consumers and stakeholders.

What core technical and physical security measures should organizations implement to support their privacy and data protection programs?

The core objectives of a data privacy program are to protect individuals’ personal information, ensure legal compliance and foster trust with stakeholders. To achieve this, organizations must be able to:

• Understand the data footprint and shadow data within the organization: It’s easy for data to propagate across an organization.
• Enable compliant data use: Maintaining regulatory compliance is increasingly complex with the proliferation of data privacy and now AI laws.
• Implement consistent governance: Managing a clear set of policies across the data footprint that are enforced by controls.
• Continuously monitor risk: Managing the risk of data loss and/or data leaks is a key concern.

What best practices can organizations adopt to ensure they comply with privacy regulations and enhance their overall data security posture?

Data privacy best practices fall into several buckets, including:

• Move from a reactive to a proactive approach by developing repeatable processes for key privacy activities.
• Automate where possible. Leverage automation for activities like fulfilling data rights requests to focus on more strategic privacy initiatives.
• Align internal teams and resources for cross-functional collaboration to drive awareness and efficiency. This can also help create a culture that values and prioritizes privacy.

Following these best practices can help mature an organization’s data privacy program and demonstrate the value of privacy.

What are the long-term consequences for organizations that fail to establish a comprehensive privacy/data protection/cybersecurity program?

An effective, comprehensive data privacy program plays a vital role in avoiding potential business risks like non-compliance, data breaches or data leaks, misuse of consumer data, and even compromised AI initiatives – which can all lead to the erosion of consumer and stakeholder trust and ultimately impact the bottom line.

On the other hand, a robust and mature data privacy program can deliver tremendous benefits beyond just compliance. As organizations face urgency to build out first-party data sets and pressure to innovate with data and AI, a strong data privacy foundation helps ensure data is compliant and ready to use. This, in turn, enables the business to drive trusted innovation, harness the potential of their data for AI, and navigate this data-centric era with confidence.