It has been quite a year, and not just because the world has been knee-deep in a pandemic. While most of us have started working remotely, our businesses have been faced with new challenges. From keeping our employees safe to keeping our information secure, here’s what we noticed in the compliance world during 2020. We also have some upcoming predictions for 2021.
In case you missed it, there were some big compliance regulation updates in 2020. Here’s our short-and-sweet version for you.
Invalidated Privacy Shield
In July 2020, an EU court declared Privacy Shield, an agreement between the US and EU allowing for the transfer of personal data, invalid. Privacy Shield was intended to let US companies or EU businesses partnering with US companies to meet GDPR requirements. In short, the EU decided that the US is not a safe haven for EU citizens’ data due to disproportionate surveillance practices. This means US companies can no longer use Privacy Shield as a framework for processing data.
Implications from the ruling
Our first 2021 prediction: US organizations will need to prepare for a Privacy Shield replacement. The court did not provide details on a grace period for businesses who currently rely on Privacy Shield for data transfers. EU data regulators are willing and ready to work with the US on a replacement framework. We predict a new framework to safely transfer data should be ready to implement in the coming year.
California passed a new privacy act. The act builds on the previous legislation, CCPA, by giving it more “teeth,” as our compliance architects like to say. Called the California Privacy Rights Act, and adds new requirements for businesses under its purview.
It’s important to note that CPRA immediately enacted an independent enforcement agency, the California Privacy Protection Agency (CPPA). This agency will be enforcing CCPA regulations before the CPRA comes into effect in 2024. This leads to our next 2021 prediction…
Regulation Penalty Enforcement
We are slowly seeing fine enforcements for GDPR roll in, with Twitter paying €450,000, Google getting a $120M fine, and Amazon hit with a $42M penalty. Financial institutions reached $10.4 billion in fines and penalties related to AML, KYC, data privacy, and MiFID regulations this year. It’s been a record year for compliance-related fines and penalties; however, GDPR fines have largely been considered too weak compared to the penalties laid out by the regulation. We don’t see those punishments going anywhere in 2021.
Privacy will be a 2021 theme
Before we move onto industry updates, we want to dwell on privacy. With CPRA being voted in, Privacy Shield being overturned, and the ethical implications of health data in a pandemic, we’re faced with a lot of turmoil. As we see track-and-trace mobile applications heading to the app stores, talk of vaccination “passports,” and digital covid screening, personal health information is already a hot topic. We expect this conversation will continue to evolve.
As we know, compliance isn’t relegated simply to putting a badge on your website. Your customers and employees want to know that they are protected by sound information security infrastructure. Compliance best practices are undergoing some changes.
Here’s what we’ve identified as big movements in the industry from 2020, and what you should expect in 2021.
Investor and partner compliance scrutiny
Maybe you made the choice to tackle SOC 2, ISO 27001, PCI DSS, or any number of other compliance frameworks this year. You likely decided it was time to get compliant because of pressure from investors, partners, or potential customers.
With penalties being enforced at higher rates and the cultural ramifications of data breaches having serious consequences, investors are even more likely to examine compliance. It’s not going to be enough to just get a certification. Businesses will need to show their risk mitigation and an above-satisfactory audit to get money in their pockets.
Will FedRAMP be the new SOC 2?
Compliance is continually playing catch-up to tech. The banking industry led the charge to popularize SOC 2 compliance, beginning in 2013, which has spread across industries. This is largely due to increased security concerns that arise as the tech industry promotes new products and services in the cloud. Our founder and compliance expert, Eva, expects that the next compliance wave will be led by the federal government.
With the high-profile and high-impact data breaches in 2020, via SolarWinds, VMware, and Microsoft, the federal government is overdue for compliance enforcement. If you’re not familiar with FedRAMP, it is the Federal Risk and Authorization Management Program. Government agencies, cloud providers, and authorized vendors use the FedRAMP framework to ensure a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Crisis planning and business continuity
Now more than ever, we know to expect the unexpected. In the compliance world, that means mitigating risk for your business through a crisis and business continuity plans. As our clients ask for advice on how to handle breaches through SolarWinds, Microsoft, or VMware, we cannot emphasize this enough: regularly maintain your compliance framework.
Your information security framework builds crisis management and business continuity planning into your business. Maintaining compliance over time implicitly means adjusting your crisis planning as needed.
As much as we all want to hope that 2021 will solve all our pandemic problems, we’re living in a brave new world now. We think that cybercrime–Advanced Persistent Threats from funded hackers or government espionage groups–will most likely continue. This takes us back to FedRAMP–and a number of compliance frameworks that handle information security. If you handle sensitive information, security and privacy frameworks are even more pertinent to mitigate risk.
Remote working security controls
If your employees have been working remotely since March and you have yet to hold a security awareness training…it’s overdue. Remember when bad actors “bombed” zoom meetings? Sending intermittent communications to employees to “watch your screens” probably isn’t enough.
We (boldly) predict that remote working won’t go away anytime soon. With gig work and freelancing on the rise, it’s important to include your part-time employees or freelancers in your compliance expectations. Keep them in mind when it comes to classified information and security awareness.
The pandemic accelerated trends in a data-driven world and many businesses committed to a permanent remote workforce. This is only increasing the need to invest in compliance, but don’t wait for a crisis to strike. The compliance community is keeping our sights on information security in an even-more digital world.