Data Security regulations leave organizations struggling with response methods: survey
By Trudy Knockless, From Legaltech News
About 52 percent of respondents think the pending EU GDPR will result in business fines for their company, and two-thirds expect it to force changes in their European business strategy.
The global migration to cloud-based IT systems has led governments to update data privacy regulations to meet evolving data sovereignty requirements in order to protect citizen data, guard national security interests, and potentially provide a boost to local industries. However, this urgent need to protect sensitive and personally identifiable information threatens current business strategies, practices, and processes widely used by organizations that operate internationally.
A recent Ovum international survey of 366 IT decision-makers revealed that although organizations are aware that data privacy is an issue, they struggle with response methods. The survey, which was commissioned by Intra Links, showed that about 52 percent of respondents think the pending European Union (EU) General Data Protection Regulation (GDPR) will result in business fines for their company, and two-thirds expect it to force changes in their European business strategy.
Respondents also believe the Snowden effect is real, with approximately 63 percent saying they believe that the proposed EU GDPR regulations will make it harder for U.S. companies to compete, and 70 percent saying the new legislation will favor European-based businesses. The U.S. was found to be the least trusted country for respecting privacy rights, followed by China and Russia.
More than 70 percent of respondents expect an increase in spending in order to meet data sovereignty requirements, and more than 30 percent expect budgets to rise by more than 10 percent over the next two years, as a result of EU regulations. The extent of fines in the event of a GDPR violation is potentially 2 percent of global revenue, meaning billions of dollars for the world’s highest-profile companies.
It’s obvious that data privacy regulations are here to stay, leaving organizations to find a way to cut through the red tape and develop a compliance strategy which includes people, processes and technology. Business leaders are now recognizing that they need to take a balanced approach to address data sovereignty and data privacy.
When asked about investment strategies, 55 percent of those surveyed said they are planning new training for employees, 51 percent said they will amend and adapt policies, and 53 percent said they will prepare by adopting new technologies. Of those who plan to update data privacy strategies in the next three years, 38 percent plan to hire subject matter experts, and 27 percent plan to hire a chief privacy officer.
Where does cloud computing stand?
According to the report, data privacy regulations are coming directly into conflict with cloud, software-as-a-service (SaaS), and mobile computing practices within enterprises. Despite the potential impact of pending data privacy regulations, 58 percent of respondents said they trust the cloud for all business operations. So, even with the changing regulatory climate, the decision of cloud computing has already been made. However, regulating cloud-held data is quickly becoming the biggest problem facing legal practitioners, politicians, and businesses as they try to balance privacy with access and productivity.
The report states that adoption of cloud computing is expected to continue to increase over the next decade. With information-intensive business processes relying on SaaS, and the shift to mobile computing platforms, controlling data location and complying with privacy regulations is now a huge challenge. About 78 percent of survey respondents said they plan to use cloud and SaaS-based applications over the next three years, even for storing and sharing sensitive and regulated data. Respondents said that cloud computing fuels productivity in modern business, connecting the entire workforce, bridging relationships between organizations, business partners, and customers, and connecting everyone socially.
In a recent interview with Legaltech News, Kunal Rupani, principal product manager at Accellion, said, “Cloud Solutions are really the way to go if you want to get started quickly and with the least amount of [capital expenditures] and [operating expenditures]. Larger enterprises are realizing that while security is a big concern with moving to the cloud, there are often several types of content that do not need the level of security offered by on-premise solutions,” such as marketing videos, product training slides and other documents.
“These don’t need to be guarded as tightly by IT via an on-premise product, particularly when compared to something much more sensitive like customer data or contracts. With less sensitive or proprietary information, enterprises have an easier decision to make when they choose the cloud,” he added.
According to other Ovum research, one-sixth of organizations’ overall IT budgets is spent on SaaS, and that spend on cloud-based solutions is expected to grow exponentially throughout the coming years. About four-fifths of enterprises currently use or plan to use cloud computing across deployment (private, public, and hybrid) and service (IaaS, PaaS, and SaaS) models, up from two-thirds at the start of 2014. About 78 percent of respondents said that in the next three years their regulated and sensitive data will be present in on-premise data centers, 78 percent said cloud and SaaS applications; 73 percent said infrastructure as a service (IaaS) environments; 71 percent said mobile applications; 70 percent said platform as a service (PaaS) environments and 66 percent said internet of things implementations.
Dave Packer, vice president of Product Marketing at Druva, told Legaltech News in a recent interview that today’s security-demanding climate is becoming too cost prohibitive to acquire and manage data security. “It’s not a matter of just technology components but also staff time dedicated to security monitoring and anomaly detection to catch a breach and plug up holes,” he said. “Additionally with the evolution of data protection regulation globally, each region having varying compliance requirements, usually equates to companies having to setup and manage more infrastructure.”
Ovum believes that a resourcing issue is part of the reason for organizations favoring cloud computing, as organizations often have limited resources to apply the right protection to regulated and sensitive data or to prove adequate compliance if the data is held internally. “As such, data protection itself is becoming another driver for cloud adoption because customers see cloud providers as likely to ‘wrap’ the best security arrangements they can as part of the service package.”
The survey also found that many organizations fall short when it comes to applying even basic measures to protect data and meet current compliance requirements. Only 44 percent of respondents monitor user activity and have policy-based triggers and alerts. Only 62 percent have adopted role-based access controls. A little over 50 percent actually classify information assets to facilitate controls. Only 54 percent of respondents disable PC features, such as external attached drives, while only 57 percent block access to ungoverned consumer storage and file-sharing apps, such as Dropbox.
The Ovum report details key recommendations for organizations to protect, control and locate sensitive information in order to meet these emerging demands. The report states that organizations must balance business, legal, and consumer requirements as they handle personally identifiable information. Recommendations include:
Establishing a data sovereignty strategy: Organizations are not protected from responsibility because they rely on a third-party cloud provider to manage data. They must recognize this responsibility and create a strategy to react;
- Conduct a privacy risk assessment: Be prepared to change business processes to meet regulatory demands;
- Include people: Educate the workforce; and
- Start discussions now: Vendors should be able to answers questions about logical and physical data location, and have service contracts that also give legal flexibility.
IMAGE: Credit: alengo/iStockphoto.com
For more on this story go to: http://www.legaltechnews.com/id=1202745836905/Data-Security-Regulations-Leave-Organizations-Struggling-with-Response-Methods-Survey#ixzz3vjAElf00