An absence of uniform global legislation, regulations and data privacy standards is leaving a ‘privacy puzzle' for organisations.
The view of the Information Security Forum (ISF) is that organisations are faced with protecting the confidentiality, integrity and availability of personal customer and employee information but the range of issues affecting them is leaving them confused.
Simone Seth, a senior ISF research consultant and author of the ISF's Solving the Data Privacy Puzzle report, said: “While the changing regulatory climate has placed an increased focus on data privacy, compliance requirements can differ based on geography and industry sector.
“Some countries enact regulation at a federal or state level, while other regulations such as the UK Data Protection Act are based on legal requirements. In other cases, such as the PCI DSS for payment card protection, compliance is based on industry standards; and the problems are further compounded by the increase in third-party relationships and new cloud-based computing.”
It further claimed that security controls are often seen as the solution to privacy compliance obligations, potentially leaving organisations vulnerable to process and business related risks. Furthermore, blurred boundaries between the organisational functions of information security, compliance and privacy - where these exist separately - can make it more difficult to manage risk across the enterprise.
Despite these anomalies and challenges, the ISF said that almost all data privacy compliance obligations, irrespective of jurisdiction or industry sector, are based on fundamental principles regarding the protection of personal information.
Seth said: “The challenge to address the multiple elements of privacy compliance remains an urgent priority. Failure to comply with obligations may lead to fines, penalties, reputational damage and loss of customer confidence.”
Speaking on PCI DSS compliance last week Amichai Shulman, CTO of Imperva, said that one of the problems is that deadlines for compliance are set by credit card companies and are not always consistent. He said: “There are some for small businesses and big companies, it is a moving target but they would have to get there.”
He also commented that there is a budget barrier and auditors are looking at costs that are unrealistic for some businesses.