Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are just the most visible tips of a giant data privacy iceberg bearing down on data center users.
"There are roughly 120 countries now that are signed up to a data privacy regulation," said Darren Mann, VP of global operations at Airbiquity, an automotive telematics company that operates data centers in Europe and pays a lot of attention to these laws.
Airbiquity doesn't handle sensitive personal data such as voting preferences or medical histories. "We deal with things like vehicle registration numbers," Mann said. "But the GDPR ruled that device identifiers can be classified as personal data. And, obviously, if we're dealing with location-based services, we would be collecting location-based data."
To minimize its privacy exposure, the company discards transactional data immediately in most cases. "One of the best practices for GDPR is to only hold the data as long as you need it," he said. "And if we do maintain data, we obviously encrypt it, and only hold it as long as we have the contracts with the OEMs."
Meanwhile, another iceberg is closing in -- that of attackers looking to break into company networks, applications, and data stores. Fortunately, systems and processes data center users need to put in place to deal with the privacy regulations won't hurt cybersecurity efforts.
"I would say, personally, it's helped," said Mann. "It's obviously caused additional effort and work, but I think it's all for the best."
Corralling the Data
The general idea behind today's data privacy laws is that companies need to collect the least amount of data they have to on their customers, track where that data is located, protect it data, and be ready to delete it on demand.
None of those things are bad for cybersecurity. In fact, they're great.
"I'm glad this is happening," said Adam Kujawa, director of Malwarebytes Labs at the San Jose, California-based security company Malwarebytes. "It does make it easier to secure information if you know where it is."
Hopefully, he said, the new privacy rules will help reduce the number of breaches.
The large fines associated with the new privacy regulations won't hurt either, since companies will have more incentive to invest in identifying, classifying, and protecting data.
"I think it's a great thing for cybersecurity," said Kujawa.
That doesn't mean change will happen overnight. "It may take a few years before we see the benefits of these privacy regulations,” he said. “But I hope it really drives innovation in finding new ways for keeping data secure."
When Privacy and Security Clash
There is one area in which better privacy can result in worse cybersecurity, and that's when companies want to deploy intelligent security tools.
Systems that spot suspicious user behavior, for example, or monitor traffic for data exfiltration need data sets for training. Tight privacy regulations mean they either have to work with the limited selection of training data not covered by the rules or get consent from people to use their data, said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.
That can get in the way of building effective systems, he said. "Data loss prevention from a data center is one use case where the privacy of the documents transferred over the network makes it harder to build a more effective security solution."
Operationalizing Privacy and Security
Many companies have policies in place to track their data. But the CCPA requires companies to respond to consumer information requests about their data in just 45 days – GDPR in one month.
A small company might be able to handle such a request manually, but larger firms will have to automate this process.
"For a large organization that's managing petabyte-scale data, as most organizations are, this is incredibly important," said Kristina Bergman, founder and CEO at Integris Software.
Today, most companies are still using surveys or spreadsheets to track sensitive data. Plus, those surveys and spreadsheets may easily miss some data stores, such as file shares, and may not be granular enough to meet privacy compliance guidelines.
According to a recent survey by Integris, 77 percent of companies use manual processes to track sensitive data.
Changing these processes will require a lot of work, she said, and companies should put together cross-functional teams to do this. Data center managers need to be involved, business data owners, and experts on compliance, privacy, governance, and security. "They need to work as a coordinated team to understand what the company's risk profile is," she said, "and to work on how to operationalize those policies."
For data center managers and data processors, the new privacy regulations may also create business opportunities, said Bergman.
For example, data center operators could offer services to help their enterprise users – or external customers – to track, classify, and manage their data lifecycles.
"My hope is that a lot of the data processors out there will start to look at it as marketplace differentiators," she said. "I think it would be a fantastic product to resell to your customers."
That's been the case for Airbuiquity. "It's given us the potential for new features and opportunities in our product set,” Mann said. “We can give the ability to the customer (the manufacturer and the end consumer of that vehicle manufacturer) full control of the data being collected. That's certainly a good thing."