Recapping the Compliance Summit: Data Privacy & Security

Last week, Clearsight Advisors hosted its inaugural Compliance Summit at the Pierre Hotel in New York. As the landscape of regulatory requirements has expanded across industries, the Clearsight team has identified key themes and innovative companies that are leading the market in delivering comprehensive solutions to their clients.

We brought together a diverse audience of private equity investors, strategic acquirers, compliance solutions vendors and practitioners/CCOs to highlight the issues and solutions that are shaping the evolution of this unique market and were delighted to host Petar Besalev (Director of Cyber Risk and Privacy, A-LIGN), who moderated a conversation between Robert Bond (Partner, Bristows LLP), and Rob Tate (Vice President, PossibleNOW and CompliancePoint) on data privacy and security.

Given that the General Data Protection Regulation (GDPR) went into effect May 25th, our session was both timely and spirited.

What is the primary difference between small and large companies as they go to comply with GDPR?
Rob Tate summarized that “regardless of the type of organization, the spirit – or hope – of GDPR is that people do the right thing.” As with many regulations, GDPR is not prescriptive in terms of what companies must do to comply, but more focused on underlying principles. Whereas, larger companies will be economically incentivized (e.g., avoidance of fines) to maintain compliance, smaller companies can derive clear ROI by selling their compliance as a differentiator relative to competitors who have not taken the same measures to protect their clients data.

Regardless of company size or approach to data privacy & security, the panelists agree that practicing data governance is a great preventative measure and valuable housekeeping exercise. Says Robert Bond, “A lot of businesses don’t know what data they’ve got and where it is. If data really is the oil of the internet, they don’t want a gusher.”

How will enforcement of GDPR affect US businesses?
Many US businesses are operating under the belief that they will not be directly impacted by GDPR. This is a slippery slope as agreements between the US and the EU are already in place and the FTC and its counterparts in Europe have synched up to work together. Both Bond and Tate agreed that ‘people power’ will ensure that enforcement does not go unnoticed or unmitigated by the C-suite; as such, they will be careful to allocate internal resources accordingly.

Where is the money in compliance? In breach investigations? In technology that tracks locations and exchanges?
Looking beyond the large firms that have existing compliance and data security functions, processes, procedures, programs, etc. – not to mention legal counsel – you’ll find that the vast majority of companies are lagging behind or are adopting a “wait and see” approach. Ultimately, with the growing dependence on cloud services (public or private), all businesses – large or small – need expert advice, implementation support, third-party risk management, and education.

Very often, we don’t know where to start or what to prioritize when approaching new regulation: our panel speakers closed the session by telling the audience to understand their third-party vendors by asking the five Ws and one H.

Regulators don’t currently have the resources to enforce adherence to every regulation on the books so companies should be able to demonstrate they take compliance seriously and are invested in data protection. Companies that care about data privacy and security likely already have some sort of structure in place or in process to support what will inevitably become compulsory in the US.