With new regulatory frameworks on the horizon, compliance has never been higher up on an organization’s GRC agenda. With this in mind, Continuity Central asked various experts for their thoughts on how compliance might evolve over the year ahead…
Legislated resilience
In both the UK and the EU, Government authorities are getting serious about operational resilience. For example, “the Digital Operational Resilience Act (DORA), focusing on ICT risk management in the financial sector, was passed at the end of November 2022”, notes Jakub Lewandowski, Global Data Governance Officer at Commvault. “Brussels also kicked off work on the Cyber Resilience Act that will introduce mandatory cybersecurity requirements for manufacturers and retailers of products or software with digital components”.
This has been a change from the previous EU regulations, in which compliance centred around protecting customer personal data from bad actors. There is now a new emphasis on protecting the digital infrastructure so that these bad actors can never reach sensitive information in the first place.
Asha Palmer, Senior Vice President of Compliance Solutions at Skillsoft explores this theme, predicting that: “In 2023 we’re likely to see the increasing digitisation of compliance. Compliance has long lagged behind other areas on this front, with tight budgets and an unwillingness to alter ‘tried and true’ methods stalling the process. However, as new generations move into the sector, change is coming”.
Palmer continues, suggesting that “areas likely to be high on the compliance radar next year are AI, data protection, supply chain, and ESG. With the use of AI rising rapidly, discussions around ethical AI abound. How we develop AI, how we use AI, how we consume AI, and how we monitor the use of AI are all questions with hard answers that we see being debated daily and will have to make significant progress on in the coming year”.
“We are likely to see high-profile cases of hefty fines for those financial institutions that fail to successfully demonstrate their ability to recover from stressed events”, adds Gary Lynam, Director of ERM Advisory at Protecht. In order to avoid this, “it is well advised to get ahead of the game in building accountability and tolerance against potential operational disruption, not only to meet incoming new legislation but to be ready for potentially disruptive events that could be on the horizon”.
By starting to prepare early, David Tattam, Chief Research & Content Officer and co-founder of Protecht expects that “businesses will start to realise the tangible benefits a holistic actionable view of risk provides. Smart businesses will track a measurable baseline of risk efficiencies over time, in line with their profit and returns strategy, to demonstrate the ROI of their risk management program”.
Some legislation may have complicated and far-reaching impacts. Lee Biggenden, COO and Co-Founder of Nephos Technologies has noticed that “there are ongoing discussions in the European Union about open data platforms which, if passed, could revolutionise how data is used, shared and owned. Anticipated to come into force in 2023, it will have a huge impact on businesses who will need to put the controls and visibility in place over their data regardless of what industry they're in. Although on paper this may seem like a step in the right direction, it does raise concerns about personal privacy as third-party data sharing is a key part of the proposed act. We are all guilty of clicking privacy boxes without reading the full terms and conditions”.
Biggenden also suggests that “this law gives little thought to the actual people whose data is being shared, although it claims to give ownership back to the citizen. There should absolutely be a mandatory law about using data without consent, especially those who are under the age of 18. With the boom of TikTok and other social media apps amongst the younger generation, many of whom are barely teenagers, we need to protect them from data profiling – this is what the government should be prioritising in 2023, rather than ways to share their data for profits.”
UK-EU: Compliance across borders?
GDPR is a concept that most Brits will understand, but as Alev Viggio, Director of Compliance at Drata points out, the period of adjustment between compliance with EU regulations and the new British Data Protection Bill (once passed into law), will be confusing. She notes that “the challenge here is this can create confusion and complexities in any compliance program, especially when considering the consequences of fines and violations if they fall out of compliance. Managing this manually facilitates the chances of human error, so implementing compliance automation can vastly simplify the process for following data protection rules and understanding the overlap between various regulations to avoid redundancies."
However, it’s not just the European continent that is bolstering its legislation. “Gartner predicts that, by 2023, 65 percent of the world's population will have its personal privacy covered by modern Privacy Regulations”, explains Vicky Withey, Head of Compliance at Node4. “Lawmakers will continue to enhance privacy rights and set legal precedents whilst regulatory bodies continue to monitor and impose fines on organizations that breach data subjects' rights. As a result, there has been a significant increase in IT consultancy services in the public and private sectors to support data strategy through digital transformation and meet customers' needs who want more products and services delivered online. Data security is paramount to ensure data confidentiality, integrity, and availability; thus, businesses continue to increase their dependency on systems and IT services to protect data.”
Don’t wait - get secured!
Gal Helemski, CTO and Co-founder of PlainID notes that “there is a growing trend to provide advanced data access controls that are identity-aware, dynamic, fine-grained and governed by policies”. Rather than wait for legislation to dictate how you protect your workload, “I encourage data owners to think of identity-first security as part of their data access control strategy and to research their options. This is crucial for securing the organization's most important asset, its data”.
