Former California Gov. Gray Davis signs a financial privacy bill at the Pacific Stock Exchange in 2003 in San Francisco, California. The California Consumer Privacy Act is among the regulations that will force new data security standards for companies. (Justin Sullivan/Getty Images)

In a new report on governance, risk and compliance (GRC), Forrester advises top security officials that they have to prepare for more regulations around privacy and personal control over data, especially when it comes to handling medical data during the pandemic.

According to the report, General Data Protection Regulation authorities are rapidly increasing their enforcement activities, with in excess of 190 fines and penalties made since the European Union regulation went into effect in 2018. Many national and local governments around the globe have implemented their own laws based on the GDPR, such as The California Consumer Privacy Act (CCPA).

Forrester analysts add that during the pandemic, employers everywhere have taken measures to ensure their workforce’s health and safety, and that includes collecting an unprecedented amount of employee health-related data. The increased awareness of privacy in conjunction with firms’ increased collection of employee data are the ingredients necessary to make employee privacy the next regulation battleground.

Shawn Wallace, vice president of energy at IronNet Cybersecurity, said more GDPR and CCPA-style regulation could be coming to the United States.

“Nobody actually reads the ‘Privacy Agreement’ that comes with downloading a new phone app,” Wallace said. “They just click the ‘Acknowledge’ button having no clue how their personal data will actually be used. This is where regulation will step in. At the same time, heavy fines will come with unintentional loss of personally-identifiable information.”  

Companies need to reevaluate GRC policies

The Forrester GRC report goes on to say that because technology moved at an accelerated pace during COVID-19, over the next five years, companies will have to reevaluate their GRC policies to mitigate data integrity risks, respond to emerging technologies that fuel customer wants and needs, and identify new risks to customer and employee sentiment. They can do so by following these steps:

Reconsider how the company categorizes and measures risk. Often, companies  measure risk in silos such as legal, regulatory, financial, and security risk. Measuring risk that way leaves companies blind to other risks, such as risks to customer experience, employee experience, intangible assets, and tangible assets. Risk pros have long struggled to translate what they do in risk management to what the business cares about. Start by creating indexes on what the company measures. By collecting the controls that apply to customer experience, risk managers can easily translate for c-level stakeholders how risky current practices are.

Acknowledge that systemic risk applies to every company. Because of their wide breadth and extremely long timelines, systemic risk never feels urgent or something talked about regularly inside of security or risk teams. Make systemic risk – for example, the underlying risk that led to the 2008 financial crisis or the current pandemic – a part of the company’s day-to-day conversations, otherwise it will never get addressed. By bringing systemic risk into their regular risk conversation, risk managers can prepare the organization for the inevitable, or for what may never occur. Existential risks are hard for humans to prepare for because the threat seems so unlikely. Risk managers must show the rest of the organization how systemic risk impacts them every single day under a number of different circumstances.

Use simulations to practice the business continuity plan. Sixty-eight percent of executives, directors, and innovation knowledge managers say that making their firm more resilient has become a high or essential priority. Unfortunately, only 23%  of purchase influencers feel very confident that their organization’s business continuity plan will end up meeting their needs during the COVID-19 pandemic. Additionally, the most common once-a-year test for business continuity plans are plan walkthrough, at 75% of firms, and tabletop, at 69%. Only plan simulations will help the company test the speed of its response to unexpected incidents. Include plans that test third parties to ensure the company has the right balance of just-in-case supply chains and are not too reliant on just-in-time supply chains.

Position corporate sustainability as a risk mitigator. Sustainability efforts mitigate reputational, legal, market, regulatory, and technological risks associated with the global transition toward a low-carbon economy. Microsoft’s voluntary adoption of an internal carbon price gives it an edge against competitors in the more than 40 countries and more than 20 cities with carbon pricing and better positions it to succeed in a not-so-distant world where market-based mechanisms incentivize corporate sustainability globally

Get up to speed on AI and ML. When it comes to machine learning and artificial intelligence, even the most advanced tech companies such as Amazon and Google struggle with discriminatory or otherwise biased outputs from their data models. As these initiatives take hold and represent larger portions of corporate revenue, compliance and risk management teams will need more-effective technologies to ensure their company’s automated processes, data models, and analytics engines produce their intended outcomes. Risk managers will need to get up to speed on AI, intelligent agents and chatbots, digital process automation (DPA) and, and robotic process automation (RPA).