Sponsored by Chorology.ai
There is a wide gap between regulatory compliance mandates and practical implementation and enforcement that I like to call the “Compliance Chasm”. That chasm is defined by the activity to protect consumers and consideration for the economic and operational impact on business enterprises. Finding that balance requires thought, not the more popular whack-a-mole enterprise strategy that reacts to new compliance mandates.
The frequency and size of regulatory fines are rising for non-compliance. In January 2023, Meta was fined $418 million for GDPR violations by Meta properties’ Facebook and Instagram. Ireland’s Data Protection Commission follows up in May that same year with a $1.3 billion fine for additional violations. And those were just the latest fines imposed on web giants, that also included Google and Amazon.
The targets of those fines might be justified in saying compliance is an impossible task. By 2025 the volume of data/information created, captured, copied, and consumed worldwide is forecast to reach 181 zettabytes. Nearly 80% of companies estimate that 50%-90% of their data is unstructured text, video, audio, web server logs, or social media activities.
Data is out of control
Data professionals see data volumes growing by an average of 63% every month in their companies – and nearly six in 10 organizations say they can’t keep up. As enterprise data expands, data breaches are increasing with a corresponding rise in compliance fines. More data means more data risk and therefore business risk.
Companies spend billions of dollars turning transactional data into behavioral profiles, buying and selling customers’ individual data to enhance these profiles. Better data results in better customer understanding, increasing engagement and monetization. These customer data-driven practices are “business as usual.”
That customer data and its use is of high value to businesses. Profitability is dependent on deep customer understanding, powered by petabytes of sensitive and anonymous consumer data in use before, during and after purchase. If compliance gets in the way of profitability, that means incorporating the fines into the cost of “business as usual.” That only expands the Compliance Chasm with almost no end in sight.
Unpredictable costs
Non-compliance has unpredictable negative effects beyond the fines. Large corporate data incidents make for prime-time news headlines, spiking consumer fear. Those consumers submit requests to remove their personal data and reduce their exposure. The increased DSR volume is expensive to process in today’s highly manual data compliance and enterprise IT workflows.
Large class action lawsuits with big attorney fees are a growing cost center, as well. Settlement fees are substantial for attorneys skilled at weaponizing compliance mandates against public or private companies.
Governments create data compliance mandates to protect consumer privacy and keep data secure, but this “protection” comes at a steep cost. Few security and privacy compliance policies are formulated with enough consideration to minimize their impact on the businesses.
The technical and operating challenges for digital enterprises and organizations go much deeper in digital enterprises than most government compliance bodies appreciate. Moreover, the available security, privacy, and data compliance technology solutions are simply not able to keep up with protecting the enterprise and therefore, the customer data.
Given the risks and costs of responding to compliance mandates, enterprises are pushing back on emerging regulations. The costs from compliance implementation, enforcement, servicing DSRs, and paying regulators’ compliance fines will continue to rise, as will lost revenue from re-designing or entirely dismantling data-driven consumer services to meet current mandates. Businesses with problematic compliance infrastructure have few choices until new thinking is applied to platforms and tools to intelligently automate compliance and enforcement.
Data compliance and enforcement within enterprises is an intrusive, time-consuming, and costly process. Many enterprises have invested in narrow tools and technology platforms optimized for a single mandate, such as GDPR in the EU, which does not adequately solve for compliance regulations of another mandate such as the California Consumer Privacy Act (CCPA). Selection of the wrong compliance tools and technology platforms devastate intermediate and long-term balance sheet financials with unbudgeted investments required to meet increasingly complex requirements.
Compliance Without Sacrifice
There are two lines of thinking that make up the best approach for selecting the right compliance tools and technology to meet the mandates. First, stay informed of the evolving nature of compliance regulations and the major data-technology trends driving business value. Find and select compliance tools with core technology aligned with these trends. Second, adopt technology, tools and practices that provide compliance assurance without compromising business objectives. Seek out solutions that ensure compliance and enforcement without scaling costs, as data volumes, sprawl and regulatory mandates expand
That second part is easier said than done. Compliance platforms of the past thirty years, mostly driven by whack-a-mole responses to new mandates, come with two major deficiencies.
First, discovery and classification functions within many platforms are still limited to known data objects such as a customer’s SSN or an address. For specific compliance mandates, developers unwittingly constrained their platform capabilities to simple data types within structured data repositories. Many legacy platforms are incapable of complex data-object discovery and classification, and cannot accurately discover data objects in unstructured data repositories
A second major deficiency of today’s data compliance platforms is sufficiently automated compliance enforcement. Most of these platforms employ manual processes with marginal automation. They are limited in their ability to effectuate the data object transforms required to avoid sacrificing business utility. In short, the core capabilities of these platforms are designed for single data-compliance mandates, but not for flexibility in data types, cloud or on-premise repositories, scalability, or cost-efficiency across mandates. For example, a digital health enterprise that requires data compliance across PII, GDPR and HIPPA mandates. In short, legacy data compliance platforms are not “abstracted” to work efficiently across compliance mandates or data types stored in structured and unstructured data repositories, on-premise and in-the-cloud.
Companies, including Chorology, Vanta and SAS are developing AI driven compliance tools to manage enterprise data privacy, compliance, and security. These platforms automate data discovery, classification, mapping, enforcement and processes across mandates, data types and repositories. Data-object abstraction combined with automated data maps and enforcement let compliance teams track and manage risk, across compliance mandates for an enterprise with little human intervention.
Modern compliance platforms with automated components, functions, and workflows enable a new class of efficient, highly scalable data compliance operations. These modern platforms allow compliance teams to effectively track, quantify, and mitigate enterprise risks associated with data compliance in the digital age.
By having the ability to efficiently assess, manage and control data risk across compliance mandates, enterprises can increase their confidence in their data security, privacy, and compliance operations as their businesses evolve. Enterprises who employ modern, intelligently automated compliance platforms are “Crossing the Compliance Chasm” by increasing their efficiency and capability in responding to today’s dynamic compliance landscape, while future proofing their compliance organizations for tomorrow’s regulatory environments.
Tarique is the CEO, CTO and Founder of Chorology.