Simplifying data compliance regulations
- Posted on July 31, 2017
- Estimated reading time 4 minutes
With the overt visibility of IT Security and privacy as a concern amongst various stakeholders, a CIO of an organisation will have the unenviable task of understanding and enforcing the myriad of compliance and governance regulations that may apply to the IT operations that he or she is responsible for. This is now very relevant as in the last couple of years alone at least three different countries in the APAC region (Japan, China, and Australia) have updated their privacy regulations, which hold companies accountable for not protecting their customers and employees’ private information. There are numerous privacy, security, governance and compliance rules that have been put in place by the governments and statutory bodies across the world that although seem to impact the operational effectiveness, are actually trying to protect the organisations that they work for.
The Payment Card Industry Data Security Standards Council (PCI-SSC), for example, recommend a comprehensive list of protective measures so that the credit card information of customers are protected and is only used for its intended purpose, viz., payments for goods and services. Although the data security standards listed by the PCI-SCC are not mandatory in many cases (small merchants and service providers are not required to validate all controls), they protect the customer’s credit card information and the holding organisation from severe potential liabilities.
Challenges of working with different organisations
In cases of outsourcing IT operations that include handling of critical data, the CIO’s responsibilities are now doubled in regards to confirming which compliance regulations apply to themselves and how will they entrust their critical data to a third party. In such cases, it is understandable that most CIOs may rather handle their own shop than go through the tedious process of checking every IT outsourcing suppliers’ terms and conditions.
As I work with various compliance regulations across the globe, I see a few common elements that apply to most:
- Take reasonable process-related and technical steps to protect critical data. These steps may include having standard hiring practices to having good information security policies in place.
- Using the critical data only for its intended use. While this one seems straightforward enough, imagine an organisation trying to use your customer data to gain more insights for themselves so that they can target your customers for ads, etc.
- Securely destroying the data from their systems when the project or contract is completed.
The list above is in no way comprehensive and many regulations expect a lot more rigor to the IT operations. However, the list is a common-sense approach to security and compliance. There are some regulatory bodies that have an auditing process to award a certificate, while some bodies take a vetting approach to check compliance before any data is placed on the intended systems. There are still others which have a list of recommendations and may only confirm compliance if something goes wrong.
Risks of non-compliance
The organisations that are proposing these regulations also are amending them to include notifying any data breaches promptly. This leads to risks to the organisation of potential fines, lawsuits, and most importantly loss of reputation.
In October of 2016, the details of blood donors in Australia was left in an insecure computer environment and accessed by an unauthorised person and resulted in a data breach. If the operations of the Australian Red Cross Blood service depended on privacy-conscious individuals, then these individuals will think twice before agreeing to sharing their information faithfully with the service. (ARCBS has since apologised and are working with Australian Cyber Security Centre to secure their operations).
Yahoo’s shareholders lost a record $350 million during their sale process. This was due to Yahoo admitting to two separate breaches of their users’ details. The potential losses due to breaches are real and huge!
What you can do to avoid data risks
Understand that the IT compliance and regulations are set up to protect your organisation. Ignoring them would mean penalties, risk of losses through security incidents and risk to your brand. I recommend that you:
- Check for IT security compliance regulations that apply to your industry and geography.
- Reach out to Avanade through your client executive to set up a discussion about how seriously we take regulation and your IT security.
- Visit the Avanade Trust Center to review our security capabilities.
As with all things that are complex, engaging in conversations will help you provide clarity. Inaction is, unfortunately, not an option.