In 2018, compliance standards are changing in industries all over the world. The compliance requirements themselves are difficult enough to follow. The existence of big data is complicating things even further.
Michael Overly, an attorney that has talked extensively about big data compliance issues wrote a post that discusses the challenges.
The challenges of [big data] compliance with this ever-increasing morass of laws, regulations, standards, and contractual obligations can be overwhelming… Even if no personally identifiable information is at risk, businesses have obligations to implement appropriate security measures to protect other highly sensitive information relating to, for example, their trade secrets, marketing efforts, business partner interactions, etc. All too often, businesses become fixated on a single tree or branch in the forest of laws, regulations, standards, and guidance’s and fail to appreciate, or even see, other nearby trees and their relationship and, certainly, seldom step back a sufficient distance to gain an overall view of the compliance forest.
This post was written in 2015. The issues have become more challenging in just the last three years.
Here are some big data compliance questions that will need to be answered.
New tools use big data to help with compliance
All new standards need to be written with the nuances associated with big data in mind. Fortunately, new tools leverage big data to solve these challenges.
Most people writing requirements come from a document perspective but everyone wants to manage requirements at the information level. This creates a mismatch between form and substance. Smart Docs from Modern Requirements4TFS bridges this gap.
Modern Requirements4TFS is a very creative requirements management tool that seems complete and also very user friendly. For example, Smart Docs can be used to create requirements specifications where work items can created implicitly. It also features Trace Analysis, Baselining and Review Management, with FDA compliant e signatures, to support the regulatory reporting efforts of its global client base.
Will the GDPR be a catch 22 for brand subject to other regulations?
The European union enacted the GDPR this past month. This new law was written to ensure the privacy of European customers was protected. It requires brands to notify customers about any data that they are collecting. They must delete data whenever these customers request.
There are a couple of problems with this law. First of all, complying with it alone will be very burdensome and expensive for many large brands. Many organizations collect data on hundreds of thousands of customers every month. Processing data deletion requests is going to be much more burdensome then regulators anticipated when they drafted the bill.
The cost and hassle of complying with the GDPR may not even be the biggest concern, despite the fact that it is what has got the most attention so far. A greater concern may be the possibility that complying with the new data protection law could force organizations to violate other laws. Many other regulators in Europe, the United States and other regions have policies that actually require brands to keep track of customers information for a variety of reasons. One of the biggest reasons is to prevent fraud. They want to make sure that organizations and law enforcement can trace IP addresses and other data to combat cybercrime. If criminals request organizations destroy evidence of their activities through the GDPR, the organizations that are compelled to comply with the request may have no choice but to violate another law.
New unstructured data sources may not be properly anonymized
Anonymization is a requirement that most companies are required to abide by. They are not allowed to keep personally identifiable information about their customers or other stakeholders.
In the past, it was easy to meet this requirement. In 2018, things are much more complicated. Organizations collect data from a number of different sources. A lot of this data is unstructured. In order to properly anonymize it, brands need to use tools such as Hadoop to extract, identify any types of data that may be personally identifiable and replace them with the right anonymization tokens.
This process can be a lot more difficult than many people expect. It may be enough to keep organizations from collecting data from certain sources that are two unstructured.