Recent developments in data protection legislation and enforcement measures add up to a new and more hostile compliance landscape for companies, which demands a new way of thinking about compliance, according to a study from the RSA-backed Security for Business Innovation Council.
The report’s recommendations to businesses include taking action to influence legislators in order to keep data protection rules from growing too strict.
The tightened enforcement of existing regulations through expanded powers, higher penalties and harsh enforcement actions, as well as tougher legislation coming down the pipeline, mean “the end of business as usual”, according to the study, titled “A New Era of Compliance: Raising the Bar for Organisations Worldwide”.
“Regulators are moving away from light-touch to more interventionist regulation,” said Stewart Room, a partner at the Privacy and Information Law Group of Field Fisher Waterhouse LLP, a data protection expert and guest contributor to the report. “As I see it, the trajectory of the law here is one way only, which is towards more frequent regulatory intervention, more disputes, more arguments, and more litigation.”
Recommendations for strengthening enforcement include providing data protection authorities with full powers for auditing, halting data processing and engaging in legal proceedings, according to the study.
The study also focused on the increased powers given to the UK’s Information Commissioner’s Office (ICO) in April, including the ability to hand out significant fines, conduct compulsory compliance assessments and the potential to impose civil monetary penalties on data controllers.
Legislators are escalating information protection mandates due to a steady stream of massive data breaches and the resulting public outrage, according to the study.
“Going forward, it will be impossible to hide information security failings as legislators force transparency and data breach disclosure becomes a global principle,” stated RSA president Art Coviello.
The study made a series of recommendations, including building a programme that gives everyone involved in the handling of sensitive information the resources needed to make risk decisions; creating a consistent set of controls across the enterprise mapped to regulatory requirements and business needs; and moving away from “boilerplate” security agreements toward more comprehensive third-party strategies.
The study also recommended that organisations make efforts to influence legislators to ensure that regulations avoid overly-prescriptive rules.
The council includes executives from JP Morgan Chase, T-Mobile USA, eBay, ABN Amro, BP, Nokia, FedEx and others.
In April the European Commission warned the UK government that it would take legal action over data protection failures related to the Phorm behavourial ad targeting software used by BT.
Oracle's huge AI, Cloud investment in Japan will meet growing local demand and address digital…
People who create sexually explicit ‘deepfakes’ of adults will face prosecution under a new law…
Protest at cloud contract with Israel results in staff firings, in addition to layoffs of…
Microsoft warns of Russian influence campaigns have begun targetting upcoming US election, albeit at a…
Microsoft to avoid an EU investigation into its $13 billion investment in OpenAI, after EC…
As President Biden 'considers' request to drop Julian Assange extradition, US provides assurances to prevent…
View Comments
After reading the report, one key fact jumped out at me: The move toward stricter compliance will require a new approach to assessing and mitigating risk in near‑real time. It will no longer be enough to evaluate your risk posture once a quarter or when compliance audits roll around. Instead, organizations will need to adopt an infrastructure that allows them to continuously evaluate risk. That means automating the monitoring and enforcement of controls so all levels of the organization‑‑from IT to executive management‑‑know who is doing what and that network events aren't negatively impacting business objectives.