Conflicting Information About Privacy Regulations Makes Compliance Difficult

Data privacy regulations seem to be popping up everywhere. There is GDPR, of course, which seemed to get the ball rolling. According to the National Conference of State Legislatures, more than half the states have enacted some sort of data privacy legislation (the site is a handy reference for what is being done on a state level). And, as has been mentioned to me plenty of times in my discussions about privacy regulations with security experts, compliance requirements like HIPAA and PCI have been on the books for a long time.

Clearly, our attitudes are changing about data privacy and protection. That’s a good thing. The not-so-good thing is that organizations are struggling to keep up with changing regulations. A new study from Infosecurity North America found that 77 percent of U.S. senior cybersecurity executives admit that CISOs are receiving conflicting information about data privacy regulations. The rollouts of these privacy laws can be confusing, which is a reason why 35 percent said they want clear communication about the regulations and 31 percent would appreciate grace periods to make adjustments to their internal systems. That makes sense to me, as one of the things I heard repeatedly about GDPR was that no one really knew how it was going to work until it was in place for a while. So why not allow organizations to make tweaks based on real-life situations or give folks a chance to show good faith in their attempts to be prepared for deadlines?

Even though CISOs feel they are getting conflicting information, the study found that they overwhelmingly want these regulations on a federal level, with 89 percent stating that we need these regulations in place and 78 percent saying that having these regulations is driving cybersecurity in their workplace. Also, the majority of executives said that even though the information about the regulations is conflicting and confusing, their organizations have been making changes to not only be in compliance with GDPR, but also with the new state laws that are popping up. As John Hyde, exhibition director at Infosecurity North America, said in a formal statement:

With more data privacy regulation coming down the line, cybersecurity teams have already been forced to adjust. Each piece of regulation will bring its own challenges, but cybersecurity professionals now at least have the ability to gather much needed insight into the impact of changes as a result of GDPR.

Privacy regulations could actually be a boon for those who manage security service providers, because, as Channel Futures explained:

The business of compliance has become shrouded in poor communications, ill explained requirements, and unrealistic deadlines, creating potential liabilities for enterprises of all sizes. Tackling those issues, and many others which result from compliance regulation may very well take professional compliance officers to achieve, a luxury that many enterprises are ill-equipped to afford.

Somebody needs to understand how to best implement these regulations because they are only going to increase as more states — and countries — push for improved data privacy and protection.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba