The Blind Spots of Data-Regulation Compliance

Terry Ray SVP Data Security GTM, Field CTO and Imperva Fellow , Imperva

This May will mark five years since the introduction of the General Data Protection Regulation (GDPR) in the European Union. Although not the first legislation of its kind, it represented a landmark for data protection and a fundamental shift in how businesses manage and use their data.

In its wake, we've seen a swathe of similar data-protection laws come into force—including the Digital Charter Implementation Act in Canada, the Protection of Personal Information Act (PoPIA) in South Africa, the Personal Information Protection Law (PIPL) in China, and the California Consumer Privacy Act (CCPA) (followed by similar state level data-protection laws in the United States).

And we may only be at the start of a global wave of data-protection laws. Already, the EU is looking to build on the GDPR with further legislation such as the Data Act, while the UK government has consulted with businesses and other parties on the future of its data-protection laws post-Brexit.

There are many positives to such regulations, not least of which is that they have given citizens more control over their data. Compliance implementations, however, have created data-security blind spots for many businesses. All too often, such efforts lead to a patchwork defense system where pockets of data are monitored while others are ignored. And, as with driving, no matter how small a blind spot may be, ignoring it can lead to a huge accident.

A Prioritization Problem

Regulations that require organizations to put in place specific protections for certain categories of data do not require such protections for other categories. This disparity can, in some instances, cause security blind spotswith some data assets sitting outside of the oversight of security solutions. Sometimes these data blind spots are relatively unimportant because there is little damage that can come from particular data not being monitoredfor example, marketing data that has already been made publicly available. Problems can arise, however, when data that should be protected isn't.

Consider the problem of quasi-identifiers such as gender, date of birth, or ZIP code. Taken in isolation, it would be virtually impossible to identify someone with only one such piece of information. Once you have three or more such pieces, however, it becomes eminently possible to identify a previously anonymous individual. If intruders were to access multiple such data types left in a blind spot, they could easily build up profiles the individuals involvedwith zero visibility from security teams.

Data-protection regulations have commonly addressed this problem by qualifying any information that could allow a data subject to be directly or indirectly identified as personal information subject to protection. But that's not the end of the story.

When Data Doesn't Fit Neatly into Boxes

Assessing which personal information should be protected and how can be relatively straightforward when it comes to structured datafor example, blood-pressure readings in healthcare organizations. Unfortunately, most data assets don't slot easily into neat little boxes.

For instance, there has long been an apocryphal figure that 80% of all healthcare data is unstructured; this includes medical imaging, handwritten doctors' notes, and everything in between and surrounding. Last year, IDC predicted that more than 90% of all data generated globally in 2023 will be unstructured.

This means that organizations face a constant challenge of having to categorize data to know whether it falls under particular data-protection regulations or not. Inevitably, some data assets will be wrongly categorized. As a result, by adopting an approach that prioritizes the protection of some categories of data over others, organizations will most likely create problematic blind spots that could hide important or sensitive information.

Everything Everywhere All at Once

To solve this conundrum, businesses should follow the Academy of Motion Picture Arts and Science's lead and take an Everything Everywhere All at Once approach to data protection. By abandoning selective protections for specific categories, organizations can improve regulatory compliance while also eliminating blind spots. Doing so is manageable, but in order to gain total visibility over all data assets (regardless of whether they are on premises or in the cloud and whether they are structured or unstructured), organizations need to find a single solution that can centralize data management.

This means finding a solution that is able to integrate with as many existing ecosystem technologies as possible. In particular, with so many businesses now using hybrid cloud, interoperability with the likes of AWS, Microsoft Azure, Google Cloud Platform, and Oracle Cloud is essential.

Data-protection regulations have been introduced for good reasons—and it is highly likely that we will see many more come into force over the rest of this decade. Businesses have to be wary of adopting a "letter of the law" mentality, however; it's all too easy to unwittingly create security holes while attempting to be more secure. Shifting to a more holistic everything-everywhere approach not only provides superior protection but, if done correctly, can also lower the total cost of ownership for meeting regulatory obligations by enabling automation for compliance workloads—reducing the amount of resources required for operation and monitoring.

Every organization should be looking to make this shift as soon as possible because IT infrastructure is only becoming more complicated. The longer that an organization delays, the greater the chance that a minor blind spot becomes a major problem.

Read more articles about: SecurityInformation Security