A conversation with Shawna Flanders, president of Business Technology Guidance Associates

A patchwork of laws in the United States and abroad is making it difficult for companies to manage and transmit data across borders. Not only has the U.S. government been slow to enact federal law leaving companies beholden to a patchwork of 47 sets of data regulations from states and territories, but Europe is moving ahead with tougher data privacy laws, and other jurisdictions around the word are following suit.

Organizations are struggling to keep up with the complex set of global data privacy and security regulations, says Shawna Flanders, founder and president of Business Technology Guidance Associates and a senior instructor at MIS Training Institute. She says uncertainty about how the regulations will be enforced is also forcing companies to rethink their data governance policies and could impact how they collect and share information.

MISTI’s Joseph McCafferty sat down with Flanders at Audit World 2016 in Boston last month to discuss the complexity of data privacy and security regulation and how companies are dealing with constantly changing rules and laws.

Companies must also adhere to various rules specific to their industry. “Each industry has its own set of regulations, including requirements that are coming from the federal government and regulations, like PCI [the Payment Card Industry Data Security Standard], that are coming from the industry specifically,” says Flanders. “As a result of that, organizations are tied between what regulations do they need to follow and how much time do they need to take to ensure that appropriate laws are complied with. “

According to Flanders, the enforcement of data regulations is uneven and can vary dramatically. “There’s also a disconnect, even within various regulations, in terms of what depth is necessary to be followed and it’s causing organizations a lot of concern,” says Flanders.

As organizations look not only to the regulatory environment but to how they ensure that they can protect their customer data, they are finding they need to be more disciplined in their practices. “Fundamental to that is ensuring that there is a good customer data privacy policy and that the data privacy policy needs to acknowledge exactly what information is being collected, how it being collected, what information is being stored, and eventually how the information is being destructed,” says Flanders. “And that needs to be the same whether it is something that is being held in-house or something that is being held by a third-party provider.

Flanders says that companies need to rely on their contracts to make sure those third-parties are upholding the policies they have in place and that internal audit can play a crucial role in making sure service providers are living up to those contracts.

Another thing that is causing problems for some companies is the end of the safe-harbor agreement that allowed U.S. companies to move data from Europe to the United States, as long as they followed certain rules. That agreement was ruled invalid last October, as the EU works on a new data security and privacy directive that is likely to be far more stringent than what is in place now.

"One of the things that is going to be interesting to see is how organizations in the U.S. actually relate to the new EU regulations, the Data Protection Act, that is going to become in effect in 2018, because that is going to have significant bearing."