Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Data Has Borders: The New Rules of Compliance
Quick Take
Data compliance isn’t just about protecting information anymore — it’s about understanding where your data lives, how it moves, and how to stay compliant across borders. On this Episode of Compliance Unfiltered, The CU guys chat about how with regulations evolving faster than most organizations can keep up, knowing the difference between traditional data security and the new legal landscape is crucial.
This episode uncovers why geographic location, data sovereignty, and continuous visibility could make or break your compliance efforts in today’s complex data environment.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin.
Todd Coshow:
Welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the honey in your compliance chamomile tea, Mr. Adam Goslin. How the heck are you, sir?
Adam Goslin:
I’m doing great today, Todd. How about yourself?
Todd Coshow:
I can’t complain. As always, we want to invite the folks to reach out and let us know your thoughts.
If you have recipes to share, show suggestions, and favorite stories about your compliance hurricane, we’d love to hear all about it and give us a shout out.
Adam Goslin:
Especially the stories about compliance hurricanes, generically, of course. We don’t want anybody violating any NDAs or anything along those lines.
But if you can generisize it and share your pain, there may very well be things that people are experiencing that others are as well. So both the pain and any insights, oh my God, yeah, that’d be great.
Todd Coshow:
Absolutely. Reach out at [email protected].
Well, Adam, today we’re going to talk about data. That’s right, the rules have changed. And I think it’s important that we have a chat about it.
Does your company actually know where all of its data lives right now? Tell us more about this.
Adam Goslin:
There’s a lot of organizations that don’t really. They got a general idea, etc., but they couldn’t put their finger on, “This data’s here and that data’s there, and these are the processes.” It’s extremely complicated.
There’s a lot of organizations that, quite frankly, haven’t put all of those pieces together. It’s certainly an onerous task for any organization.
Todd Coshow:
There’s definitely a shift in data regulations. Fundamentally, what is changing in data compliance right now?
Adam Goslin:
It’s not just about securing. A lot of people historically would think about protecting their environment and making sure they’re in compliance with fill in the blank, and just about protecting whatever it is that they’re responsible for protecting. That’s morphing.
It’s turning more toward where is the data, how is it being used, who accesses it, for what purpose are they leveraging it, etc. There are a lot of rules, regulations, really legal agreements between organizations that govern the data access and usage. So it becomes very important to organizations to be able to have their finger on that pulse, if you will.
Todd Coshow:
Why is geography suddenly so important?
Adam Goslin:
Data is subject to the laws of the country or regions where it resides. There’s different rules and penalties. You’ve got agreements that you’ve made with different organizations. So there’s a myriad of layers that play in, but certainly where it’s at plays into it as well.
Some organizations care about where their data resides, aka what country. Some don’t. So it gets extremely complicated very quickly, if you will.
Todd Coshow:
That makes sense. What is driving this?
Adam Goslin:
Globally, privacy laws have been popping up. We’ve been seeing it just in the US. In the US, we’ve got certain states that decide to put out certain edicts around privacy laws. California, namely, was the lead in terms of privacy law within the US. But the minute that they did it, now you’ve got different data and privacy laws picking up from different states within just the United States, let alone when you take it up to a federal level within the US.
There’s other rules. Once you get international, countries have their own. So it’s a landscape that’s getting really complicated. It’s starting to remind me a lot of some of the complications that organizations would have with breach notifications. There were organizations that specialized in breach notification because of all of these layers of complexity.
You bring it from the US stage to the international stage. Well, now you’ve just multiplied the number of intersections by freaking magnitude because now you’re dealing with both country-level regulations. Maybe there’s even sub-regulations from within different subsections of the country. So there’s a lot that goes into it.
Todd Coshow:
There certainly is. Now, for the uninitiated, what is data sovereignty in simple?
Adam Goslin:
Data needs to comply with the laws of the jurisdiction where it’s stored or processed. So there’s a premise that you, as an organization beholden with data, are going to do so in a legal fashion, and that means that you need to understand the rules and regulations of where you’ve got it and/or where you’re processing it.
Todd Coshow:
That makes a lot of sense. How is that different from traditional data security, though?
Adam Goslin:
A traditional security and compliance program is going to be protecting data and information from breaches and inappropriate access to the data, things along those lines, making sure that only the right people have access to the right information and basically protecting that environment.
Where the sovereignty side of it really looks at legal ownership, control, and location of the information, which is what a lot of organizations will have integrated into their various agreements with the people that are provisioning the data to them.
Todd Coshow:
Why are regulators pushing this so hard, is the nice way to say it.
Adam Goslin:
The regulators are trying to do their part to make sure that governments, and both at the government level and as well as organizations, are maintaining control over sensitive citizen and consumer data.
They’re looking at it in a couple of different regions. Everybody’s got to put their own spin on it, have their own rules and regulations on it, etc. But like I said, this landscape is starting to get astronomically complicated.
Todd Coshow:
Why is this so difficult for organizations to make?
Adam Goslin:
Just think about it. You’ve got a myriad of different systems that you use as an organization. You just look at an atypical organization’s vendor control, if you will. Every time I’m adding a new vendor into this mix, what’s this vendor doing and what are they gaining access to? You’ve got data that’s moving across clouds, vendors, regions, systems, etc. You’ve got a lot of moving pieces and parts here.
Additionally, for the organization proper, and I’ve alluded to it a couple of times in this discussion, every time that, as an organization, I sign an agreement with a particular company, there very well could be things that are included within those legal agreements that put me on the hook as well. So it’s astoundingly complicated.
Todd Coshow:
It certainly sounds that way. Do most companies have visibility into their data locations?
Adam Goslin:
No. Those that aren’t focused on that, most of them are lacking a clear real-time notion of where their data resides. The risk that plays in here is that the organization, just unintentionally, is violating regional laws. They’re leading up to fines, legal exposure, reputational damage, etc. So it’s really on the organizations to get their arms around it.
I think, in a lot of ways, organizations that are just contained within the US actually have a lot easier time of it because all they gotta worry about is the federal laws in every state and jurisdiction that decides to put data privacy laws in the law and layer all those in. But that’s why I say that it’s easier, because the minute that I go international, now I’ve got a whole different realm of things that are coming into play.
Todd Coshow:
You certainly do. Now, changing gears a little bit, how are consent requirements involved?
Adam Goslin:
Companies need to clearly define and document why are we collecting data, what is it being used for, how is it being used, who has access to it, etc. Once those things are defined, guess what? Now, I got a rule set that I need to go ahead and live up to.
It means that these organizations need to really start, if you think about it, if they’re really going to start into this, they need to gain a firm assessment of what exactly are they dealing with now so that they can justifiably put pen to paper and confirm those elements.
Todd Coshow:
What happens if data is used outside its original purpose?
Adam Goslin:
At that point in the game, now I’m triggering compliance violations, and it could be that the data is not even breached. But because of the fact that I’m not handling this data in an appropriate manner in accordance with the legal agreements that I’ve signed, now I’ve got data compliance violations, even though I wasn’t suffering a breach.
The reality is that regulators are expecting a higher level of transparency here. Companies need to be able to not just speak philosophically to how we’re doing stuff, but they really need to be able to get themselves into a position to prove it out. How was data actually accessed, actually used, and shared, etc.? So that’s a different world, if you will.
Todd Coshow:
Definitely. Now, in terms of new things, what are regulators really asking organizations to prove?
Adam Goslin:
They want them to prove out where is the data living, who specifically has access to it, why it’s being used, what was the original intent behind it, and what is it actually being used for, etc. Which really underscores the importance of the access controls within the organization, since if I have unauthorized or unnecessary access, then that too could fall into some form of a compliance violation, despite the fact that you haven’t had a breach. All of these elements really play in, if you will, in the grand scheme of things.
Organizations really need the capability to be able to demonstrate traceability of the data across the lifecycle and improve their capabilities for auditability. It’s a bigger problem than a lot of these organizations are really taking seriously.
Todd Coshow:
Why are point-in-time audits no longer enough, I guess, is the standard question that you’re going to hear asked.
Adam Goslin:
If you think about it this way, I could go with a point. Let’s just take a week, right? It would go Monday to Friday. If I went in and took a look at it on Monday, I’d go, “Okay, everything’s cool Monday.” Didn’t see anything right at that time that was happening, etc. But if on Tuesday, there was a whole bunch of things happening that shouldn’t have happened, but then I come back on Wednesday again and I do another point in time, well, guess what? Now I just missed the activity that was occurring Tuesday.
It’s really on the organization proper to be able to go in and have their finger on the pulse of where this stuff sits, who’s accessing it, what they use it for, things along those lines. Data’s dynamic, and the compliance needs to reflect those real-time conditions, not just snapshots.
You really want to be moving toward a mode of continuous monitoring of the data locations and movement with real-time access tracking, automated capabilities for automated reporting and audit trails.
I’ve seen organizations, I’ve been in that position of needing to respond specifically to, “Who touched this, and when did they touch it?” I’ll tell you what, you don’t want to get one of those requests coming in when you’re like, “Ah, ah, ah.” It is astronomically difficult. If you’re trying to pull all of this together in some form of a manual sense, it’s a nightmare.
Todd Coshow:
Absolutely. From an automation standpoint, is it truly necessary now?
Adam Goslin:
Yes, automation is really rearing its head at this point in the game. We were just talking about if I had to go through and try to piece all of this together in some manual process, there’s no possibility that you can keep up, in general, with the scale and complexity of these modern data environments.
You’ve got to have something, some type of a tool that can help and assist track, manage, report, etc., in a more automated fashion. I would almost look at it like central logging system or whatever. Could I pay Bob to go in and review all these logs that are streaming in from these hundred devices? Sure, Bob could sit there for eight hours and scour what’s coming in. But you’re going to have a bunch of issues with that. You’re going to have limited coverage. You’re going to have human error in the mix. There’s no way in hell that Bob can keep up with this, and just the sheer capability of having access to the information and data so that it’s even plausible to report on it. It’s really leaning in a direction of automation needing to come into play.
Todd Coshow:
Parting shots and thoughts for the folks this week. Got them?
Adam Goslin:
Yeah, this is a complicated arena. I’ve tripped through it in a couple of different ways. But one of the things that everybody’s used to having is their data flow diagram. Just envision the data flow diagram coming down to systems and data level.
The other piece is, and this happens to a lot of organizations, if I just started my company last week, guess what? Now I can go ahead and drop in all of the controls that I need and everything’s nice and pretty and clean. I have a chance of keeping it that way. Well, that’s not the reality for most organizations.
For most organizations, they’ve been up and running and serving customers over some period of time. In some cases, that period of time could be decades. One of the first questions in my mind’s eye would be starting off with some analysis of what is it that we’re beholden to.
Beholden to will come out of the intersection of what information data do we have, where is it flowing to, from, being stored, processed, where, etc. Do we have all of the right and appropriate agreements in place? Where is all that stuff happening, and what rules and regulations do I need to follow there? In addition to reviewing all of their legal agreements for the organization, that’s another layer that they’ve got to piece in.
I would view the commencing of this process as going to be a lot of discovery, a lot of data collection, information gathering, and then trying to get arms around, “Okay, now what do we want to do with this?”
There may be opportunities for the organization to do some streamlining as well. Maybe they find that, “You know what? We really don’t need to be sharing this information with these people, and it makes our life simpler.” Whatever it may be. Anywhere that you can find opportunities to mitigate the streaming of the data, places it doesn’t need to be, and whatnot, the better that you can do a job of that, then the easier your overall management of the problem becomes.
Todd Coshow:
And that right there, that’s the good stuff. That’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow.
Adam Goslin:
And I’m Adam Goslin.
Todd Coshow:
I hope we helped to get you fired up to make your compliance suck less.
