ESG analysts discuss managing compliance and data privacy
Data privacy and compliance programs are considered mature in most organizations, but the landscape is changing as new regulations and distributed environments make things more difficult, according to a new study on the state of privacy. and data compliance from Enterprise Strategy Group (ESG), a division of TechTarget. ESG analyst Vinny Choinski, who covers data management, data protection and data governance, surveyed 304 IT and business professionals from mid-sized and large enterprises familiar with compliance and data privacy programs in the United States and Canada.
Companies understand the importance of meeting compliance obligations and plan to invest accordingly. The research found that most organizations plan to increase their spending on privacy technologies over the next 12-18 months. At the same time, with increasing regulations and increased compliance audits, companies should be aware that non-compliance can be extensive and include legal fees, recoveries and penalties.
The amount of sensitive data transferred to public clouds is expected to double over the next two years, but more than half of respondents said they believe significant portions of sensitive data stored in public cloud services are not not sufficiently secure. Respondents also said data loss in the public cloud can be attributed to human error and unintended actions, as well as the increase in remote working.
Watch the video to learn more as Choinski and ESG Practice Director Christophe Bertrand talk about managing compliance, governance and data privacy from an IT perspective.
Christopher Bertrand: Hello, I am Christophe Bertrand. I’m joined by Vinny Choinski, senior analyst at ESG, who focuses on intelligent data management and data governance. So, Vinny, thank you for joining me in this conversation today. I would like to know your definition of data compliance, data governance and data privacy. What does this mean from a computing perspective?
Vinny Choinsky: When you talk about IT and IT operations, I consider data governance to be the highest level of all things. I think compliance and data privacy are components or elements under an overall title of data governance.
I think you’re looking to ensure that you’re managing risk with compliance and that you’re handling personal information properly. There’s a lot going on. There are a lot of regulations coming fast and furiously. Many of them are at the state level in the United States, or at the provincial or regional level. I think customers themselves want to deal with companies that they can trust are handling compliance and their personal information properly.
Bertrand: Businesses are interconnected; it’s a big ecosystem in the economy, by definition. So compliance matters. When you think about it from a computer point of view, pragmatically, what are you talking about? Are we talking about storage, software, SaaS? What does this imply?
Choinsky: All the foregoing. Your business application may contain data. Initially, when people moved to SaaS, they thought only data protection was covered. But in fact, this is not the case. And just as you need to protect the data you put into the SaaS, you need to manage compliance with the data you put into the SaaS. So like you regularly have on-premises computing, servers, extension and applications, you have storage, you have SaaS, you have cloud. In fact, the cloud is becoming a big destination for a lot of sensitive data. And in fact, 52% of the people we surveyed said the cloud makes compliance, managing compliance, and meeting your obligations more difficult.
Bertrand: It’s also very interesting because of the critical and massive amount of data that’s being created, and it never seems to stop. Let’s take a look at the state of the market. Based on your research, where are organizations today in terms of readiness and maturity for data governance, privacy, and compliance?
Choinsky: We recently did a survey. I think a lot of the initial comments were about programs that had been in place for a while and programs that were in the traditional data center. We have had a lot of positive feedback. Many programs, or the majority of programs, have been in place for over six years. Many people have invested in data compliance officers. I think 80% is the number of data compliance officers. And a good majority of them have been in place for more than a year. They’ve been in place for a while, and I think they’ve done a good job so far in terms of compliance management, settlement management, and privacy management.
However, now we’re starting to see a new dynamic — the remote worker, the data is distributed, it’s going to the cloud. This emphasizes the environment. In fact, there is data loss happening right now with data being moved to the cloud. I don’t think any compliance officer would have said that in an environment that was an on-premises type solution of the past. So while we’re getting a pretty good picture right now, I think the constraints are starting to show up in existing programs and the new environments are starting to cause problems.
Bertrand: It seems like we’re really in a market that even though it’s sort of established and people have developed best practices in computing and are using technologies that seem to work to a large extent, at the same time it’s on about to move into its next phase with a lot of unknowns. So, thinking about what you’re seeing here and with this next phase coming, are there any recommendations you would give to IT pros? Maybe give us your top three recommendations. What three things or initiatives should they consider when thinking about data governance?
Choinsky: I’m really excited to see the Data Compliance Officer on the board because I think a lot of people involved in compliance or governance programs want to see C-level sponsorship, especially IT people. And I think they want visibility to reach that level. Programs begin to be managed from the top down, responding to business needs.
First, it is important to have good leadership at the top in C-level and IT. Two and three have visibility into your infrastructure and then have an understanding of cloud architecture. So when you move data to the cloud, you can move your policies and procedures and enforce them. I think when environments become distributed, that’s important.
There’s one last element, I think it probably came up with the pandemic and people moving away. A large number of people who are full-time employees have access to sensitive data in their organization. They may not have access to everything. But as regulations get tighter, I think you have to look at who has access to the data. Investing in personal information management tools should actually go beyond security in general.
Bertrand: We’ve talked about a lot of things here: privacy, compliance, and, in the context of governance, IT infrastructure, including on-premises and in the cloud. Looking ahead three or four years, what do you think this architecture for successful governance will look like? Will it be further integrated into cybersecurity processes? Will it merge with data protection? Does it focus more on data with analytics? What is your point of view ?
Choinsky: Well, I think analytics are important. Whether it comes from security or data protection or simply data management. I think data management plays a key role. And they need to make sure they are managing their data properly. Now, this could extend to an organization’s legal department and compliance department. In fact, we see many of the most successful programs come from people who have been involved in records management over time in the organization. They apply these sound policies. I think the key is having the right policies in place and then understanding if you have any gaps in your technology – whether it’s data protection, data management, security – and then how they all fit together whole.
It’s another key part of having a compliance officer in place to be kind of the point of reference inside the organization to look at it from a holistic top-down perspective. , or all components.
I think we’re going to have a little trouble with distributed environments for a while. Then as people start to get their hands on how they’re handling this and start enforcing their good policies, then we should come back to a point where our initial survey showed — that things are looking good, that the programs have been in place for a long time, there are privacy offices in place, things like that.
Bertrand: Awesome. Well, thank you very much, Vinny, for joining us.
Choinsky: It was a pleasure.
ESG is a division of TechTarget.