The world is experiencing a major season of change these days, and nowhere is this more visible than in the field of commerce. Companies today are evolving their business models to meet new challenges, one of which is having to comply with a growing number of regulations that are popping up everywhere. Many of these new regulations have to do with safeguarding consumer data privacy rights, and businesses that fail to comply with such regulations face increasingly burdensome penalties in different countries. To get a better understanding of what's going on in this area, where things are happening, and when we can expect more regulations to appear, I recently sat down with Zak Rubinstein, chief executive officer and founder of 1touch.io, a U.S.-headquartered and Israeli-based technology company providing automated real-time discovery, mapping, and tracking personal data flow.
MITCH: Why are so many regulations being put in place these days at various governmental areas that tech companies need to comply with?
ZAK: Like most of us, the government has seen how tech companies, from conglomerates to small online retailers, collect massive amounts of information on their customers. They use this data for marketing efforts and to understand customer behaviors, with the end goal of increasing revenue. In recent years, consumers have started to understand the critical nature of limiting the sharing of their personal data, and this increased awareness has led to the establishment of new regulations targeted at putting the brakes on data misuse and over-collection.
MITCH: Which ones do you feel are most important for e-commerce businesses to comply with, and why?
ZAK: CCPA and GDPR are the most far-reaching, as they apply to any business that collects data on more than a specified number of California and EU residents, respectively, and are thus the most critical. But there are some others that should be considered as well, such as Brazil's LGPD, which affects any business that collects data on Brazilian citizens.
MITCH: Do some of these regulations contradict one another or otherwise make it difficult for companies to comply with them?
ZAK: In general, privacy regulations share one goal: protecting consumers and empowering them with rights over their own data. Though these laws have differences, they generally do not contradict one another. One case in which laws do perhaps "contradict" each other involves GDPR and the EU's PSD2. GDPR insists upon the limited sharing of information such as the banking data of EU citizens. PSD2, on the other hand, requires the open sharing of customer banking data to facilitate the adoption of new and innovative payment technologies. While it's possible to fulfill both requirements at the same time, it can be challenging without clear visibility.
MITCH: What further regulations do you see coming on the horizon?
ZAK: In the near future, we know we can expect to see new state-level regulations, many of which will apply to all businesses, regardless of where they are located, as long as they collect data on citizens of the particular state. We already know that New York's proposed regulation, NYPA, aims to be even more limiting than CCPA. Washington State's proposed regulation, SB 5026 or 2021 WPA, is actually much closer to the EU's GDPR in structure and rights to be granted. This bill has twice failed to get passed, but it has been introduced again, and senators are hopeful that the third time will do the trick.
MITCH: How can tech companies stay on top of all these regulations?
ZAK: The key to consistently meeting all regulations in a sustainable manner is with continuous data discovery and mapping -- of all the data that businesses hold, no matter where it resides in their systems; whether it's structured (the easy part, right?) or unstructured, known or unknown, or in transit or at rest. Making sure that data is accounted for regardless of any other factors is critical to being able to consistently adhere to all privacy regulations.
MITCH: How can a business assess whether they are properly complying with all the various regulations out there that they need to comply with?
ZAK: This is where governance, risk, and compliance (GRC) tools and then discovery and mapping tools come in. GRC tools help organizations streamline compliance and perform audits in order to determine their blindspots. These tools help organizations stay up to date with regulations. These are usually subscription-based tools, making it simple to switch providers if the one you've chosen does not meet your needs. But these tools need data to be discovered for them. For this, they need to integrate with a discovery and mapping tool that will continuously locate all data, regardless of where it is in your network.
MITCH: Is there anything else you'd like to say about this subject for our readers?
ZAK: Compliance and adhering to regulations (especially when they seem to be in a constant state of flux) can seem like a daunting -- if not impossible -- task when viewed as just another thing to cross off your to-do list. But the time has come for businesses to stop viewing this restoration of each consumer's elemental right to privacy over their own data as a burden and instead adopt a privacy-by-design stance.
Businesses have grown accustomed to the idea of commoditized personal data while ignoring the human behind each data point. The new and upcoming regulations are giving businesses a much-needed opportunity to fix those wrongs and move forward in a manner that provides the deep insights that can only be extracted via data collection while respecting and upholding the right to privacy of each and every consumer.
MITCH: Zak thanks very much for taking the time to chat with us about this important subject.
ZAK: You're welcome.