To say that we live in a data-rich world is an understatement. Every day, we create and store 2.5 quintillion bytes of data. In fact, 90 percent of the data in the world today has been created in the last two years alone. The amount of data created on digital information platforms daily is eight times greater than the information stored in all of the libraries in the U.S. (source: LexisNexis, 2015).
Exponential Data Creation
In addition to this exponential data creation, the mechanism for storing, managing and protecting these massive volumes of data has changed. We now live in the era of the “borderless enterprise,” a fluid and adaptable ecosystem whose resources are accessed, used and shared via mobile, social and cloud. Historically, IT had full control of protecting data, and data was centralized in a company’s data center. During the last few years, mobility and the cloud have literally pushed data out of the data center and onto various devices. Rather than remaining under control and saved on central IT systems, data is increasingly being created on mobile devices and laptops that never touch the corporate network.
According to a Ponemon Institute study, 44 percent of corporate data stored in cloud environments is not managed or controlled by the IT department. As a result, enterprises are tasked with protecting data amidst an increasingly dispersed data landscape while also keeping this data compliant with regulations, enterprise policies, global data privacy and industry-specific regulations (HIPAA, GLBA, COPPA). Also, as recently as November 2015, analyst firm Gartner found that employees would have four personal computing devices that they could use for work by 2018, over and above any corporate IT assets that might be provisioned for them.
Data Protection: More Devices, More Channels
In addition to an increasing number of devices in the enterprise, business is being conducted via more channels than ever before. Rather than email, phone and documents being the formal communication channels, there are now additional channels that have to be supported. Instant messaging and chat apps may be used for real-time communications, while text messages and social media are also used to share work-related information. These text or IM messages may never touch official company IT assets, yet they may have a material impact on company decision making.
How do enterprises then manage and protect data coming from different devices through a variety of channels? This proliferation of new devices and channels represents a huge change when it comes to handling and managing data. For companies, this move from the center to the edge – this decentralization — means that data protection and compliance have to evolve as well.
Let’s talk about compliance. In addition to HIPAA and GLBA, there are many mandates and regulations businesses need to keep top-of-mind. The recent EU General Data Protection Regulation (GDPR) on data protection clearly defines personal data and provides a common set of mandates across 28 countries, including provisions for data handling, cloud computing, data breach notification (and including mandates for companies doing business with EU companies). What does this mean for businesses? Enterprises will need to examine their approach to handling and managing customer data – both for general data protection and for more specific compliance mandates.
Data Protection and Compliance: What Companies Should Know
The following are three steps that organizations can take to plan ahead and improve collaboration when it comes to protecting data and meeting compliance-related regulations:
Step #1 – Recognize that data protection and compliance are two sides of the same coin
When done right, data protection practice is an always-on effort to protect the business, capturing and securing all data that employees create across the business and moving it to a secure secondary location. IT Compliance is an established guideline or specification to safeguard a business, and doesn’t work the same way. While there may be processes that have to be “compliant” in order for the business to run its operations, IT teams tend to get involved only when there is a change in regulation or a need for an audit to take place.
Any security and related compliance investigations often demand a huge amount of time and effort to complete as the IT team searches across company files, emails and records for the required information. This workload can be reduced through smarter auditing and management of data ahead of any incident, particularly when it comes to data that might live on mobile devices.
Today, the process of compliance is highly manual and episodic, and requires aggregating and understanding data only as needed for investigations. In parallel, IT secures and collects data on an on-going basis across devices through a data protection process. These two teams do not traditionally connect until there is an urgent need to do so. The opportunity is for Security, Compliance and IT teams to work together to jointly leverage available data made available through these data protection efforts to build a much more integrated process to protect information and address compliance.
Step #2 – Move from reactive compliance to a proactive approach
As I mentioned above, compliance teams tend to operate in reactive mode to audits, as many events can’t be forecasted. While there are some tasks that may come up every year – including auditors coming to check on financial performance – the most critical compliance events cannot be predicted. This is where an external incident can lead to a full-scale audit, and where the availability of all information and data is required to meet the demands of that audit. In this case, speed of providing information will be essential to that audit.
This approach requires two things: Automating the process of meeting any relevant compliance regulations, and automating how any files or data are classified as they are created across the business. To automate the overall process, it’s important to check which regulations apply to any part of the business first and then work to define how the requirements can be met. Alongside this, sensitive information such as personal health information (PHI), personally identifiable information (PII), personal credit information (PCI) and confidential Intellectual Property (IP) information may be created or used within new files or data all the time. As new files are created, they can be automatically checked for any information that should be handled for compliance, and then put through the necessary process. By making use of more automation, the data protection and compliance teams can quickly assess and take corrective action for non-compliance on regulated or policy-managed end-user data.
Step #3 – Cover the whole enterprise, not just the center
As mentioned earlier, a great deal of computing and data creation is taking place at the edge of the organizations – from remote workers on multiple devices and apps.
All these employees are creating data and files that have to be stored somewhere; the challenge is that there is often no official process for controlling and protecting that data. Rather than focusing on the central IT systems, the move to remote working and greater use of cloud applications means that organizations need to focus on the endpoint instead.
As we produce, access and manage data on more devices and apps within different channels from disparate locations, proactivity will be key to survival for organizations. Proactivity, collaboration and planning are prerequisites for getting ahead of the data protection and compliance curve – and staying one step ahead.