As the data privacy space continues to awkwardly mature, we’re in the midst of a privacy sovereignty evolution. An explosion of local, regional, federal, and semi-global laws are starting to pour out of new and old regulatory bodies. And, for most organizations, the alphabet soup of data privacy laws (e.g., CCPA, GDPR, LGPD, etc.) are disrupting previously established practices and breaking workflows down with sledgehammers.
When will it end? Will we see one consistent and clear data privacy framework? Will we all be forced to walk over hot coals every time a new regulatory body decides to usher in new guidelines? Or will GDPR continue to be the framework that countries can build upon with their own legislation?
When we think about the evolution of data privacy standards fueled by big data and predictive modeling, it reminds us of the evolution of the Payment Card Industry Data Security Standard (PCI-SS). Along comes this amazing new technology that changes the way businesses across the globe operate. But it brings a host of unintended consequences (i.e., card fraud) that need to be rectified with concrete frameworks. Unfortunately, setting standards for new technology isn’t easy.
And between the point of new tech introduction (in this case, eCommerce) to the moment the PCI-DSS standard was created, there was over a decade of friction, confusion, and headaches.
The Spawn of eCommerce and The Spawn of Data Modeling: Two Sides of a Similar Coin
Credit cards have been a payment method since the 1950s — rising to popularity in the late 80s. But, in the decade between 1988 and 1998, Visa and MasterCard had a total combined $750 million loss from credit card fraud. For context, credit card fraud losses rose to over $21 billion annually by 2015.
Credit card fraud wasn’t necessarily rare in the 80s and 90s, but it wasn’t systematic — yet. The spawn of the internet and eCommerce caused a whirlwind of fraud activity for card processors, who would often push those losses back on consumers and retailers. In 2001, Visa reported that online credit card fraud rates were 4x more than the average credit card transaction. Given the rise of credit card fraud spawned by internet-induced vulnerabilities (e.g., trojans, keyloggers, phishing, etc.), a few of the larger credit card agencies started to push for security standards for merchants to help combat these rising credit card security risks.
When we look at the rise of big data and predictive modeling, we see a remarkably similar trend. Big data was a niche project before 2010. Large search engines like Google and B2B database providers were already processing large amounts of data, but the average business wasn’t dipping their toes into anything remotely similar to the large data lakes we have today.
As more businesses evolved their strategies to incorporate big data, threat actors began to drool over the prospect of finding a single mine filled with millions of people’s personal details. Sure! eCommerce may have conjured a new era of credit card theft via malware, but big data creates massive repositories of user data that can be swiped in a single attack. In 2009, threat actors exposed 130 million users’ credit card details hoarded in Heartland Payment Systems’ databases. When we move forward 3 years, hackers were able to score 3 billion (yes, billion) user names, phone numbers, passwords, and birth dates from Yahoo.
Each year, these data threats grow. In the first quarter of 2020, hackers have breached Facebook, Lifelabs, Marriott, and hundreds of other businesses. And, like the rise of credit card fraud, standards are being developed to combat these surging threats.
A Wave of Confusing Standards for Data Privacy Standards
In 1999, Visa approved the Cardholder Information Security Program (CISP) standard. The goal was simple: creating a global standard for credit card security to prevent breaches. But it’s not easy to poof a standard into existence. And, due to the shaky nature of the threat climate, Visa wasn’t the only company looking to set the tone for security.
MasterCard developed Site Data Protection. Discover tried to make the de facto standard Information Security and Compliance. American Express created the Data Security Operating Policy Standard. And JCB ushered out a Data Security Program. In other words, there was a rush to standards. All of these standards clashed — creating confusion, resistance, and dread for payment processors and retailers across the globe.
In fact, very few companies were able to successfully meet Visa’s CISP compliance deadline. There were simply too many standards converging on them at the same time.
This is where data privacy space is currently operating. Every country, state, city, and public body is rushing to set data privacy standards. Like Visa’s CISP standard, GDPR has created a shockwave of regulation that’s echoed across the globe. And, like credit card compliance, businesses are feeling overwhelmed. Only 59% of organizations currently meet GDPR compliance. At the small business level, less than half are compliant.
It’s not necessarily that GDPR is difficult to comply with. After all, we have amazing automation and governance technology that wasn’t readily available to companies back when credit card processing standards were being introduced. The problem is the lack of a single, unified standard that companies can rally behind.
The Scramble to Comply with Data Privacy Standards
When data regulatory standards first hit the scene. It’s a bit of a madhouse. With PCI, many organizations were confused about their networking scoping. With flat networks (or “unsegmented networks”), trying to figure out how to address private cardholder data both broadly and granularly caused some serious headaches.
Of course, like GDPR, PCI standards didn’t provide step-by-step guidance on how to segment networks, install network firewalls, or build out virtualized networks to create logical partitions. Instead, their official stance was that “each entity is responsible for making its own PCI DSS scoping decisions, designing effective segmentation (if used), and ensuring its own PCI DSS compliance and related validation requirements are met.”
With GDPR, many organizations are in a different, albeit similar, boat. GDPR requires you to safeguard consumer data and provide Data Subject Requests, but they aren’t handing you a step-by-step guide. How could they? The data ecosystem we’re all dealing with is far too complex, nuanced, and individualized to possibly offer concrete advice.
So the question remains…
How do you wrangle all of your sensitive data? With so much data coming in from various points in your tech stack, finding out ways to dump data into lakes, run analysis, and pull data into core systems without compromising privacy is complicated. Add a layer of regulatory oversight and a horde of Data Subject Requests to that complexity and many organizations are exploding from the seams with data privacy pain points.
But we’ve all been down a similar road before. The solution isn’t to throw money at the problem by hiring outsourced solutions. And it isn’t to completely tear down your IT architecture. Instead, organizations should look for compatible technologies on the market (as many did with virtualization and firewalls during the early PCI days) and reframe existing policies to support more granular data control.
Businesses need to take an “as little as possible” approach to data sources without compromising their market competitiveness. This makes it easier to both control and secure data — as well as scale-out policies and perform necessary Data Subject Requests.
In the short term, that means investing in the right governance solutions to help you categorize, organize, and secure data — as well as the right solutions to de-identify and secure massive data lakes. In the long-term, this means completely upending traditional policies and breeding cross-collaboration between stakeholders to bake data privacy into the core of your overall data acquisition methodology.
We know! It’s difficult right now. You’re going to have to take a broad approach to data privacy compliance. With a school of regulatory bodies swimming around you, data privacy has to be strict and adhere to regulatory-agnostic policy matrixes.
The Future: A Data Privacy Standard We Can All Rally Behind
In 2004, the PCI DSS 1.0 standard was developed. In a landmark move, all five major credit card companies rallied behind a single standards framework. As of today, PCI DSS 3.0 is still the standard for all credit card processors across the globe. Businesses have a single, clear-cut path to compliance, and they can stay informed on compliance from a single reputable source.
This is the future of data privacy. As of now, businesses need to leverage advanced governance and compliance systems to help them navigate the ever-evolving world of data privacy compliance. Failure to comply with local, state, federal, and global standards can lead to serious fines and reputation damage. But given how many standards exist, businesses are forced to invest in systems early and often to avoid compliance missteps.
We know that millions of businesses are struggling with this wave of data compliance frameworks. It’s difficult. But we think this will change. Businesses will still need deeply-ingrained data governance tools, but we believe that, eventually, a single, comprehensive standard will emerge that almost everyone can easily follow.
A Data Compliance Framework for the “Now”
As a business, you probably struggle to handle this wave of data privacy regulations. You need to get compliant to reduce risks, avoid fines, and escape reputation damage, but you need a comprehensive, regulatory-agnostic framework that will help you meet broad and granular compliance standards without sacrificing your core business workflows.
We can help. OneTrust offers hyper-scalable compliance frameworks with baked-in context-based discovery tools, data subject recovery tools, and data governance policies. You need continuous defensibility and a finely-tuned data protection strategy. Contact us to learn how we can help you safeguard your data while complying with CCPA, GDPR, LGPD, and other data privacy standards.