According to Deloitte, 55% of organizations say their compliance culture is based around a “Can we?” rather than “Should we?” attitude, pointing towards a new mindset that focuses on building a more proactive and positive compliance culture. For multinational enterprises, it is particularly important to ensure compliance with global privacy regulations to meet legal obligations, protect customer trust, and navigate the complexities of operating across the globe. In a global economy, customer’s data privacy is a growing concern, making it crucial to adhere to privacy regulations by demonstrating a commitment to data protection.

Narendra Sahoo is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm. He holds more than 30 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services.  

In the 15th episode of the NextLabs Cybersecurity Expert Series, we sat down with Narendra Sahoo to discuss how to ensure compliance for global multinational enterprises that are subject to a variety of privacy regulations. He covers the common challenges faced in achieving and maintaining privacy data regulatory compliance and shares some recommendations on how to ensure compliance with a variety of privacy data regulations. 

Read his insights below or watch the full Q&A video on our YouTube. 

What are some common challenges organizations face in achieving and maintaining compliance for privacy data regulations? 

That’s an interesting question because almost all the companies that we see regardless of the budgets, regardless of the size, have their own challenges. 

And of course, a humongous amount of data like an enterprise might be having. So, it really hits the roof. If I list out a few of those challenges, primarily it would be limited resources, siloed data, the lack of strong leadership, poor data quality, and context.  

So, from how the data has been collected, how it is maturing, what is the purpose. So many times, the focus is more on collecting as much (data) as possible, then we’ll see what to do with it. And of course, the lack of data control. Most of the companies, large companies, would just be backing up data because erasing the data after the retention period is over is much more lend and painful. So, that’s again a violation of the data privacy standards and the difficulty in embedding data privacy into the organizational culture. So again, the problem is basically the merging of confidentiality and privacy. These are two separate points. 

And then, managing privacy across diverse platforms so they would be having a billing system, a HRM system, a sales management system, all of which has data. So, these are all privacy related data, and they need to be protected. And that’s where privacy across diverse platforms becomes a major issue because with the amount of data being increased in organizations, the maintenance cost of the data also goes to the roof.  

Then, we have access control complexity. So, who’s going to do what? When? Again, it’s not about confidentiality alone, there are many other things, so who’s going to have access? What about your third-party processors; would (they) have access to the data? Why do they need to or have access to the data? What if there is something that goes wrong with them with the data over there? Because now the repercussion with privacy is very high compared to a typical normal data breach. And of course, the insufficient visibility. 

As my last point, the insufficient visibility into data moments and usage because privacy data has not been considered anything beyond confidentiality. So, why are we collecting this data? From whom are we collecting this data? That’s what privacy is all about; User consent is what privacy is about. 

The ability of people to be able to change the data, download the data, update their data, delete their data. These are the parameters that were unheard of, unthought about and when you don’t know also where the data is, and how the data is being managed. Especially in large enterprises, it makes things very, very painful and therefore, to overcome these challenges, a very comprehensive approach, very strong leadership, adequate resources, (are all) very, very important. And then of course, commitment to embedding privacy principles into the organization culture is very important and crucial. 

Thank you for sharing these common challenges. Do you have any recommendations for global multinational enterprises on how to approach ensuring compliance with a variety of privacy data regulations? 

Recommendations. Yes, there are quite a few recommendations. Let me summarize it up for you. So many things to be said, especially for larger multinational organizations on how to approach and ensure compliance for this myriad of data privacy standards.  

It’s very, very important to know the regulation because it’s not just privacy per se because the importance of privacy say HIPAA, GDPR, it is different. If you look at DPPA in India is different. Of course, the base principle will never change. But then again, what is the standard talking about and what is the impact on your organization is very important. So, know the regulations. 

So, before you do anything read the standard. This is something on legal requirements. It is not just a standard, like an ISO or a PCIDSS. These are all regulations, and the repercussions on the government would be phenomenal. 

So, you really need to know the standard. And even after knowing, without an expert’s insights, because they have been dealing with the standard. Work with people who know this standard very well and are able to let you know and even advise you on what to do. In case there are some issues in your organization, and then of course, (you need to) set up a data governance program. This is not a one-time thing; this is not something that you can just do once and get audited on GDPR or HIPAA or something and get it over with. There has to be a data governance program and then invest in new technologies because something like DLP is very important for you. It’s not just about confidentiality and stuff like managing the data in your organization. Managing user consent, managing your policies, you would need technology for that, especially if your volumes are high and it might seem a bit expensive initially. 

But take my word for it, it is more than worth it over a period of time because no matter how many people you hire, it’s never going be as reliable or versatile as technology. And then train your team. They are used to just managing technology or looking at just security with confidentiality, integrity and availability. 

Privacy requirements are different, so know the standard and train your team. And then practice their data minimization because as I’ve seen in many organizations is that they keep the data for what I don’t know. 

Same thing. I advise very strongly for organization. We don’t need a particular set of data beyond a particular amount of time, get rid of it and then appoint a DPO Data Privacy Officer. That’s something answered. I would like to share with you that as a Data Privacy Officer, their role is dedicated to overseeing the entire data privacy initiative in the organization. It’s more than worth your time and money. And even if you’re a high tech CISO or a CIO, it’s simply not possible to manage privacy, especially in an enterprise and then have regular audits.  

And then one of the key areas in data privacy is with regards to the security of the data subject rights. So that’s where you need to have clear policies for the data subject rights. So, how are you going to collect the consent. How are you going to let them know why the data is being collected or what the data is being collected for? How long will it be retained? How can they make changes to it? How can they erase the data?  

And then, have an Incident Response team. This is the base for any privacy requirement. So, in case there is a breach, and you don’t have an Incident Response Management system in place, the repercussions of penalties are really going to be terrible. 

So, it’s okay if there is a breach. But if you don’t have incident identification in the incident response plan it is going to be very, very difficult. So do take care of looking into these areas as we have highlighted. Your approach needs to be tailor-made as per your organization’s requirements. So, I hope that helps. 

Great recommendations.  

Thank you so much, Narendra. 

This concludes Episode Fifteen. Stay tuned for Episode Sixteen where we will cover how to achieve a secure software supply chain. Watch previous episodes of NextLabs’ Cybersecurity Expert Series to learn more about other important cybersecurity topics such as Data Security, Ransomware and Zero Trust Architecture (ZTA).