Frank Krieger, vice president for governance, risk and compliance at iland discusses how cloud service providers can help plug the data privacy skills gap.
Last May marked a seismic shift in global privacy and information rights with the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
In the intervening period we have seen other countries follow suit with the California Consumer Privacy Act (CCPA) scheduled for implementation in 2020 and a raft of similar regulations on the horizon across the Asia Pacific region.
It’s clear that GDPR is just the opening act in a narrative that will result in a stricter regulatory environment to protect personal information protection.
Since the implementation of GDPR we have been in a honeymoon period. The frantic preparation stage has been replaced with prosecution and fines like those issued to BA and Marriott Hotels following their mega-breaches. However, we have yet to see how the UK Information Commissioner's Office will handle SMEs and public sector organisations.
The current picture: Signs of a compliance gap
In the meantime, evidence is emerging that indicates many organisations are still falling short of their data privacy obligations.
Figures vary, with some research claiming 30% of businesses are not yet GDPR-compliant, and others putting the percentage as high as 74%. A similar picture is building in the US, where only 14% of businesses are said to be compliant with the forthcoming CCPA.
The trend is clear – organisations are struggling to meet their regulatory commitments. So, what is holding businesses and public sector organisations back and creating this compliance gap?
The shortage of qualified data privacy compliance professionals can be a challenge for many organisations. This issue was widely anticipated in the run-up to GDPR.
In 2016, the International Association of Privacy Professionals (IAPP) predicted 28,000 privacy professionals would be needed to meet the GDPR requirements. One year after its implementation, they found half a million organisations have registered-data-protection officers in Europe, many serving multiple companies.
IAPP polled its members and found the average salary commanded by a qualified data privacy professional in Europe is just over £70,000 ($88,000). Taken together, these factors mean compliance professionals are scarce and their salary requirements put them out of reach of smaller companies and public sector organisations.
Their situation is further complicated by skilled compliance professionals who specialise in highly regulated industries, commanding a premium price. Recruiting a professional with skills at this level is overkill for the average SME, and more than public sector organisations can afford.
How can SMEs and public sector organisations address this challenge?
Data privacy regulation is here to stay. So organisations need to find a way to navigate this new normal, ideally as cost-effectively as possible. While there’s no getting around the fact that a business must develop its own privacy policies, data management and reporting, much can be gained from delegating the burden to outside experts.
For example, most organisations now use the cloud in one form or another to store, access, process, backup and archive data.
Indeed, the public sector is now under a cloud-first mandate from central government. Cloud providers are acutely aware of their huge responsibility to keep their organisations up and running while complying with data regulations. If cloud providers want to offer services to some of the world’s most highly regulated industries, they must exceed the most stringent regulatory standards.
When it comes to GDPR and other regulatory compliance, SMEs and public sector organisations should expect their cloud service providers to deliver robust compliance with expert advice that can be applied throughout the business. They should be able to provide audit and reporting capabilities to address an organisation’s past performance as well as a continuous improvement roadmap to address evolving risks.
Effectively, by choosing a CSP with compliance expertise, businesses gain access to a wealth of specialist knowledge they can’t afford to employ in-house to overcome the skills shortage and avoid a compliance gap.
Growing complexity in the regulatory landscape
The global regulatory landscape is only going to grow in complexity as we see more examples of fines and legal action. Aside from the privacy element, the specific requirements for vertical sectors from government and healthcare to legal and finance introduce risk that businesses must address.
With 49% of board directors naming changes in the regulatory climate as their top concern, organisations need to be confident that their partners are competent, accredited, and will strengthen their compliance posture.
For CSPs, compliance expertise should be a credible differentiator. Offering compliance consultancy that complements cloud services and provides added value to customers is a distinct advantage in building the trusted relationships at the heart of successful cloud service provision.