![\"person](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/03\/Detective.png\")
<\/figure>\n\n\n\n“So, where do we begin?” Watson sighs. <\/p>\n\n\n\n
\u201cThe elementaries, my dear Watson\u2026The elementaries.\u201d <\/p>\n\n\n\n
And that is exactly where we will begin this article as well.<\/p>\n\n\n\n
What Is Data Compliance (and Why Does It Matter)?<\/h2>\n\n\n\n
Data compliance is the practice of ensuring that information collected, stored, and used by organizations is accurate, secure, and in compliance with relevant laws and standards<\/a>. <\/p>\n\n\n\n Depending on the industry or jurisdiction in which the industry operates, these standards vary. Data compliance is crucial for organizations for several reasons.<\/p>\n\n\n\n Now, let\u2019s clear up some common points of confusion regarding data compliance. <\/p>\n\n\n\n The public conversation around data compliance \u2014 even when led by those with a fairly solid grasp of what it includes \u2014 tends to focus on data privacy. <\/p>\n\n\n\n These discourses often leave an unknowing audience with the impression that data privacy is synonymous with data compliance. While data privacy definitely forms a huge part of data compliance, it is only a subset of it. Aspects of data regulation include:<\/p>\n\n\n\n Data regulations and standards often stipulate guidelines on how data must be stored. For example, the PCI DSS requires that organizations store credit card data with encryption in place<\/a>. Several organizations’ internal policies also include full disk encryption policies for data at rest and complying with these is a core part of it being data compliant. <\/p>\n\n\n\n Data storage regulations may also include how long it may be stored. For example, Article 5 (1)(e) of the GDPR<\/a> mandates that personal data must not be kept in a form through which the data subject can be identified for a period longer than the stated purpose of collecting the data.<\/p>\n\n\n\n These are policies and regulations that determine who has access to specific data within an organization. Access control may be implemented in different forms<\/a>, but most are geared toward preventing credential abuse and ensuring that only authorized personnel get access to data.<\/p>\n\n\n\n Data privacy regulations outline<\/a> how personal data<\/strong> can be collected, processed, and stored. Data privacy requirements would typically involve obtaining consent from users before collecting personal data, informing them on what you’re going to do with their data, and notifying them when there’s a breach.<\/p>\n\n\n\n Data security standards require data controllers to take adequate steps to prevent internal and external actors from tampering with data. Depending on the industry, these standards may vary but they are based on general security principles. Examples include encrypting data in transit and authentication protocols such as two-factor authentication. <\/p>\n\n\n\n Data protection standards on the other hand require data controllers to take steps to create safeguards against data loss. This would typically involve having a data backup and recovery system in place.<\/p>\n\n\n\n These are any other standards that are specifically applicable to the organization or type of data in question. For example, the Sarbanes-Oxley Act requires organizations to ensure that their financial reports are accurate and devoid of misrepresentation. While the Gramm-Leach-Bliley Act requires financial institutions to implement safeguards that protect customers’ personal information.<\/p>\n\n\n\n Verdict: Fiction!<\/strong><\/p>\n<\/blockquote>\n\n\n\n A 2017 report by Ponemon Institute LLC<\/a> indicated that compliance with data regulations set firms back by an average of $5.5 million. That\u2019s nearly a 55% increase, from its $3.5 million cost in 2011.<\/p>\n\n\n\n These costs aren\u2019t surprising given that organizations often make significant outlays for the tools and technology needed to ensure compliance. They also need to train employees on compliance policies and procedures, which can be time-consuming and expensive. In some cases, they may even hire additional staff to manage compliance, thus adding to the cost.<\/p>\n\n\n\n According to a 2022 report by Thomson Reuters<\/a>, organizations can expect that increased regulatory requirements coupled with increased personal liability of compliance officers will result in additions to their current compliance costs.<\/p>\n\n\n\n Be that as it may, it’s helpful to look at the brighter side: these costs are way less than the cost of noncompliance! The Ponemon study showed that the average cost of noncompliance with data regulations was $14.82 million in 2017, a 58% increase from its cost of $9.37 million in 2011. And that’s speaking only in economic terms; reputational costs are more difficult to quantify and put in monetary terms.<\/p>\n\n\n\n Verdict: Fact! Albeit, noncompliance is a more costly affair.<\/strong><\/p>\n<\/blockquote>\n\n\n\n The requirements of a compliance audit will depend on what standards or regulations the audit is based on. Generally though, a data compliance audit will aim to examine who has access to what, check event logs, and confirm the accuracy and up-to-dateness of the information.<\/p>\n\n\n\n Contrary to what many believe though, auditors are not out to fail organizations. Most auditors understand that perfection is almost impossible, especially given that data regulations themselves are not always clear, and are sometimes even contradictory. <\/p>\n\n\n\n For example, the Payment Service Directive 2 (PSD2)<\/a> applicable in the European Union, in a bid to improve competition in the payment sector permits the sharing of customer information which may technically amount to a breach of the GDPR.<\/p>\n\n\n\n Given these realities, auditors are more interested in seeing organizations prioritize the most essential requirements. For instance, a SOX audit would be more concerned about ensuring the accuracy of financial reports and integrity of internal control requirements<\/a> than in seeing organizations implement data storage requirements to the dot.<\/p>\n\n\n\n Thus, organizations can focus less on the elusive goal of achieving perfection and focus more in developing a long-term strategy toward achieving compliance with regulations. This would involve examining where these processes need to be improved and sharing plans with the auditors on how this will be done within a reasonable time frame.<\/p>\n\n\n\n Verdict: Fiction!<\/strong><\/p>\n<\/blockquote>\n\n\n\n\n \n The IT Manager\u2019s Guide to Data Compliance Hygiene <\/p>\n \n How to ace your audit <\/p>\n <\/div>\n Fortunately, industry-specific standards such as the PCI DSS sometimes provide specific control guidelines for organizations operating within their scope.<\/p>\n\n\n\n More often than not however, data compliance regulations such as the GDPR, the UK Data Protection Act, and the California Consumer Privacy Act (CCPA), which are broad in scope and apply to different types of data controllers, lack clarity<\/a> or omit control guidelines entirely.<\/p>\n\n\n\n The reasons for these are not particularly far-fetched. First, unlike standards such as the PCI DSS which can be updated regularly in the face of technological advancements<\/a>, legislations are not updated as frequently. This is because they have to go through the legislative process which can take years.<\/p>\n\n\n\n Secondly, regulations are designed to be flexible so organizations can interpret them to best fit their operations. This is closely linked to the fact that with regulations, it is difficult to measure general outcomes. Thus, control guidelines are often left open-ended and organizations have some level of freedom in determining how they will comply with these regulations.<\/p>\n\n\n\n It is therefore left for organizations to devise control guidelines that suit their specific needs.<\/p>\n\n\n\n Verdict: Fiction!<\/strong><\/p>\n<\/blockquote>\n\n\n\n Despite the seemingly endless labyrinth that data regulations seem to present to data handlers, many of its tunnels lead to the same end.<\/p>\n\n\n\n Most data regulations often make provisions for data privacy, security, and protection to such an extent that compliance with any of these regulations would amount to, at least, significant compliance with others<\/a>.<\/p>\n\n\n\n For example, say a California-based organization puts processes in place to comply with the CCPA. The business can easily replicate those measures for other data compliance regulations down the line. <\/p>\n\n\n\n Typically, these processes would require obtaining consumers’ informed consent before collecting personal data, allowing them to exercise their right to data deletion, and protecting stored data with adequate measures. The GDPR and the UK Data Protection Act contain similar provisions, so the same processes can be used to comply with these regulations without any difficulty.<\/p>\n\n\n\n Verdict: Fact!<\/strong><\/p>\n<\/blockquote>\n\n\n\n Data compliance is a journey, not a destination. That’s why it’s important for organizations to always have the right tools and solutions in place to ease compliance efforts. <\/p>\n\n\n\n\n
Data Compliance: Separating Fact from Fiction <\/h2>\n\n\n\n
![\"Magnifier](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/03\/Compliance.jpeg\")
<\/figure>\n\n\n\n1. Data Privacy Regulations Are Synonymous with Data Compliance <\/h3>\n\n\n\n
Data Storage <\/h4>\n\n\n\n
Access Control<\/h4>\n\n\n\n
Data Privacy<\/h4>\n\n\n\n
![\"Low](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/03\/Lock.jpeg\")
<\/figure>\n\n\n\nData Security & Protection<\/h4>\n\n\n\n
Legal Requirements<\/h4>\n\n\n\n
\n
2. Data Compliance Is a Costly Affair<\/h3>\n\n\n\n
![\"A](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/03\/Judge.jpeg\")
<\/figure>\n\n\n\n\n
3. Perfection Is Required to Pass an Audit<\/h3>\n\n\n\n
![\"Business](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/03\/Handshake.jpeg\")
<\/figure>\n\n\n\n\n
![\"探花大神\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/02\/image-1-1-aspect-ratio-160-110-1.png\")
\n <\/div>\n 4. Compliance Regulations Provide Clear Control Guidelines<\/h3>\n\n\n\n
\n
5. Data Compliance Standards Are Similar in Certain Respects<\/h3>\n\n\n\n
\n
Streamline Data Compliance with 探花大神<\/h2>\n\n\n\n