By Jeffery Lauria
The wave of regulation that started in Europe with the General Data Protection Regulation (GDPR) has made its way across the pond. California’s legislature recently pushed for more stringent rules governing the use of customer data by big tech companies, and now lawmakers in Massachusetts are considering a new proposal that would give citizens greater leverage against businesses that improperly collect or use personal data.
The proposal seems at odds with the tech-friendly atmosphere that Massachusetts politicians have worked hard to cultivate as they seek to attract more startups to the region and turn it into an innovation hub. But it’s indicative of a growing shift in expectations surrounding technological privacy and corporate responsibility.
Cause for alarm
At this point, businesses should be well aware of the risks inherent in managing and storing customer data. A multitude of high-level, highly publicized breaches have shown the world the dire consequences of data mismanagement. These attacks have affected major companies in nearly every industry, impacted millions of consumers and cost corporations billions of dollars, only prompting further cybercriminal activity.
Blood testing groups Quest Diagnostics and LabCorp are two of the latest victims of these attacks. A hacker broke through the security system of the American Medical Collection Agency, a third-party vendor used by both companies, and the sensitive personal data of nearly 20 million patients was compromised as a result.
Who should be concerned
Companies that have an understanding of the data they possess and dependable management policies shouldn’t be worried about tightening regulations. Because most modern startups are born in the cloud, compliance should be relatively straightforward when new legislation comes about. These companies are likely already leveraging a secure content management system and can easily adopt one if not.
However, if company data is spread across multiple storage systems, such as on-premise hardware, software and cloud-based systems, compliance might prove more challenging. With more data storage locations comes more need for oversight to ensure said data stays secure.
While dispersed customer data isn’t cause for alarm on its own, businesses that don’t have a clear management system and don’t perform regular data audits will find themselves in violation of the terms of new legislation set to take effect in the near future. That’s a situation any company would want to avoid.
Depending on the severity of negligence and the cost of the legal ramifications that result, the consequences of violating consumer privacy laws might end up being as damaging as a breach itself, particularly because most startups are operating on extremely limited budgets.
How to stay ahead of regulations
With that in mind, here are four steps you can take to get ahead of regulations and minimize their impact on your business:
1. Stay informed of industry changes.
France fined Google $56.8 million for failing to comply with the GDPR. Despite being well aware of the law’s implications, the tech giant failed to adjust its operations and violated data privacy laws through the misuse of online customer and user data. Waiting to change proved costly for Google; imagine how damaging it could be to a startup with high overhead.
2. Conduct regular data audits.
You need to always have a firm grasp on where data is being housed and which employees are responsible for it. Your data assets might include customer relationship management software, point-of-sale purchase information, email marketing tools, company servers and other platforms. Regardless, you must have platform-specific safeguards in place to protect it.
When Marriott International failed to perform its routine cybersecurity audit, 500 million customer records were released because of the lack of due diligence. Taking the time to be thorough and perform data audits are key in understanding where your protections stand and where they need to improve.
3. Delete unnecessary customer and employee data.
Minimizing the data you store also minimizes the potential areas cybercriminals can attack and exploit. Deleting old data gives your employees a better sense of what information they need most and should regularly use.
When taxi company Taxa 4×35 didn’t delete all of its ride records, as mandated by the GDPR, it faced a fine of $180,000. It kept the phone numbers of those who used its services and just deleted their names. Sticking to data minimization regulations is critically important, as this example shows all too clearly.
4. Keep certifications and technology up-to-date.
The notorious 2017 Equifax leak was the result of vulnerability in the Apache Struts software that was part of the company’s dispute resolution portal. After employees failed to install a patch, hackers were able to break into the company’s systems to the detriment of 143 million customers.
Technology growth is changing the world, and regulations are trying to keep up. Because of this, it’s likely that more and more will be put in place. California’s regulations remain the most restrictive in the U.S. right now, but they’ll likely become the regulatory baseline for a number of places in the near future.
Consumers need reassurance and protection from the entities they trust with their data. The onus will be on companies to provide those things, and a failure to do so will prove costly. As the power of technology grows, regulators will have to keep that power as harnessed and safe as possible.
This article was first published in Entrepreneur.