NetApp CTO Cloud Architecture Matthew Swinbourne discusses data compliance and the potential long-term impacts on businesses and client relationships when avoidable breaches occur.
By Matthew Swinbourne
Corporate data policy compliance is a serious issue that affects every organization in the world. As organizations increasingly adopt hybrid multicloud to gain greater agility, the move has also led to an exponential growth in the number of locations personal data is stored as well as the volume of personal data stored by organizations. Moreover, digital transformation objectives often include the leveraging of that data to drive business growth, leading to a growing sensitivity for data privacy.
Some governmental institutions have responded to this by introducing new data privacy regulatory laws, such as Singapore’s Personal Data Protection Act and European Union’s General Data Protection Regulation. Such policies define what personally identifiable information can be stored or accessed, where (geographically) that data can be stored, as well as other new concepts such as the “right to be forgotten”, where a citizen can request an organization to remove all data relating to that individual from their systems.
In many cases, these policies focus on protections for data transfers within the country and across boundaries, wherein the customers’ personal data is stored in a country that is not native to the customer or where he/she resides.
Currently, many organizations rely on outdated methods or have no method at all to cover their compliance obligations on the data they hold.
In a hybrid multicloud world, compliance becomes an even more challenging objective as data is now spread across many data centres and many clouds. Organizations serving customers across the globe also have the additional challenge to comply with a variety of different national and regional privacy regulations, each with their own set of rules about data residency and data transfer.
Data protection policies vary between countries, and new compliance standards are emerging rapidly across the world. Maintaining compliance can therefore be complex as organizations need to comply with the data protection policies in both their home country and the other countries, they operate in.
Historically, organizations addressed these concerns with outdate mechanisms like regular expression mapping — which maps the flow of data through applications – or other basic data identification methods. However, those traditional methods were unable to scale fast enough and became cumbersome to manage as more and more compliance burdens are placed on organizations.
Machine learning (ML) and artificial intelligence (AI) have introduced the ability to address these complex problems as they can process information and identify compliance risks faster and with more success than traditional methods.
Apart from being able to pivot rapidly and adopt new compliance requirements with very little training, ML models can identify personally identifiable information for example at 90 percent or better success rates in a far shorter time and with far less human interaction than any other methodology on the market.
Potential Scenarios for Breaches
While we don’t have stats on how much companies can gain by being compliant, we are seeing that the cost of breaches is on the rise.
The financial penalties for infringements are substantial. GDPR, for example, impose fines on a sliding scale measured by the organization’s global revenues.
Specific to Singapore, 26 companies have been fined a total of SGD 1.28 million as of August 2019 for breaching the Personal Data Protection Act (PDPA), which is a record high since PDPA came into effect in 2016.
A recent study found that ASEAN businesses lost an average of USD 2.62 million last year to such incidents, up from USD 2.53 million in 2018. The cost includes detection, escalation, notification, as well as lost business due to business disruption, customer turnover, reputation loss, and diminished goodwill.
Data breaches could also cause long-term damage such as losing market capitalization. According to a report, a data breach can cause the average share price of a company on Wall Street to fall by 7.27 percent on disclosure, with low share value and growth underperformance a reality for years afterwards.
Client implications for working with non-compliant organizations
Besides the financial implications, data privacy breaches could also lead to the loss of customer trust and subsequently, loss of business. Customers expect organizations to comply with modern-day privacy regulations and be responsible for preventing unnecessary disclosure or loss of their personal data.
Customers are now within their rights to request businesses for their data management or data privacy policies when they interact with them.
Since many companies will already have such policies in place and are likely to have some measurement of compliance against their own policy, customers (especially those covered by data protection laws such as CCPA, PDPA and GDPR) can request to see the list of personal data that an organization is storing and ask it to change or delete that data.
Non-compliant organizations could find themselves in hot water in the near future as customers may refuse to do business with them until the appropriate data privacy or compliance measures are put in place. We have seen these risks emerge recently, with government inquiries on how private data is stored on some social media platforms, and who can buy access to that data.
Market availability of compliance software
Navigating through a multitude of increasingly more stringent regulatory requirements in a dynamic and complex hybrid multi-cloud environment is no easy task.
To simplify compliance, organizations need to take a privacy-by-default approach to data storage, which can be achieved by investing in tools that provide visibility and control over their cloud-based deployments.
Such tools should help organizations map their data flows, set up a lifecycle policy for each data record in order to comply with data retention laws, effectively support right-to-be-forgotten requests, and secure and encrypt data.
NetApp ONTAP data management software, for instance, offers all these capabilities. Tools within the software include:
NetApp Cloud Compliance, which is a data mapping and reporting tool. It uses an AI-based technology to help companies be compliant to privacy laws by generating data subject access reports automatically and with accuracy, identifying potential privacy violations before they happen, and providing insight into where sensitive data is stored.
Cloud Volumes ONTAP, which ensures that only the necessary data is retained. It helps reduce storage footprint by removing redundant copies of data and tiering data so that infrequently used data can be offloaded to less expensive storage.
NetApp Cloud Manager, which provides visibility into storage repositories across hybrid multicloud deployments from a single panel console.
SnapLock, which allows organizations to easily comply with data privacy regulations by creating write once, read many (WORM) volumes; and,
StorageGRID, which safeguards data transactions with secure-socket layer (SSL) endpoints, provides encryption for data at rest, and supports read-only storage node access.
Organizations will be able to stay ahead of the game if they have the right technical and operational measures in place to comply with data privacy regulations across their hybrid multicloud, even as regulations evolve and/or when the company expands their business to new countries.