Global developments are ramping up the need for GRC professionals.
Data privacy is the digital trend that will define this decade. Governance, risk and compliance (GRC) officers are finding themselves pushed to the front lines of politics, the economy, digitization, the blockchain, and personal and civil rights. GRC issues today are expanding beyond domestic borders. The cyber professionals who can walk the talk in the international security dialogue will come out ahead.
Here are three of the top trends in GRC.
The era of data privacy regulations
The 1990s were all about exploring the capabilities of the internet, and the 2000s were about harnessing it to gather data. Now, we’re all about pulling back and trying to protect what we’ve created. It’s the inevitable arc of an extravagant beginning, and it’s here. That’s why those who know the ropes of this newly regulated, highly debated and often geographically fickle domain will be in incredibly high demand going forward.
Ironing out a ‘crazy quilt’ of policies
It’s predicted that by the end of next year, three-quarters of the world’s population will be covered by data privacy laws. But as these laws come into their own, they’ll face the inevitable growing pains that come with doing things for the first time.
Protecting bytes of digital data containing sensitive information about billions of people around the world is without precedent. Consequently, the rush of state and local governments, international agencies and organizations to establish appropriate data guidelines now threatens to overlap and confuse, creating a “crazy quilt” of patchworked policies along the way.
In 2022, two more U.S. states enacted privacy laws, bringing the total up to five. Utah and Connecticut, in addition to California, Colorado and Virginia, have state-led cybersecurity policies in place. What’s more, roughly 30 other states had a privacy bill cross their desks last year — and more than 20 passed them. However, many of the finer points of state regulations could be superseded if the U.S. decides to pass a federal preemptive privacy law, The American Data Privacy and Protection Act (ADPPA) . Meanwhile, as that waits on the horizon, states are continuing to move forward with state-led legislation.
Globally, international lawmakers are grappling with general data protection regulation (GDPR) as they iron out the kinks. Since its emergence in 2018, more than 100 countries have established data protection or privacy laws, and the legislation continues to grow. Notably, the EU-US Data Privacy Framework signed last October is expected to take effect this year, and it will present a GDPR-compliant framework for transatlantic data transfers and storage.
Regulating AI
Another compliance trend we’ll see a lot more of soon is the regulation of artificial intelligence (AI). AI grew at an exponential rate last year, both in the cybersecurity and cybercrime communities, to say nothing of its reach into industries from medical to marketing.
The US ADPPA bill, in particular, seeks to significantly increase oversight of the ways organizations leverage AI. Section 207: Civil Rights and Algorithms states that covered entities “may not collect, process or transfer covered data in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, national origin, sex or disability.” The law, if passed, would also require companies to get FDA approval on certain AI tools before implementing them. It’s a strong start, and we can expect to see more of the same as both the AI and privacy sectors continue to evolve and intersect.
GRC means staying competitive
It’s clear that in the coming months, cybersecurity’s big issues will be discussed and decided on an increasingly larger stage. The world will be watching as nations, states, federations and corporations determine the rules of data privacy. Professionals who are able to discuss and contribute to those conversations are the ones with GRC knowledge.
Data privacy and compliance is gaining visibility as crucial to information security. The 2020s will be defined by how we handle access to the data we’ve spent the last 15 years accumulating. Financial firms, retailers, government agencies, critical infrastructure, technology, healthcare and every other industry will need to adjust to the GRC requirements coming down the pike. Those that do will stay competitive; those that don’t will be forced to wait on the sidelines until they are able to operate above-board on data privacy laws. As is the case with the recent cyber-centered Executive Order , those who don’t will miss out on government contracts and opportunities with major supply chains and corporations.
GRC compliance is becoming not only an asset for organizations but a liability for those that fall short. The day is coming when every operation will need to reassess how they handle payments, store customer information, handle in-app data, advertise, email and run the inner workings of their security infrastructure. Strategizing against current GRC protocols will be a necessity — and the same will be true of the GRC professionals who can guide organizations on that journey.
Learn more about governance, risk and compliance professional certification in The Ultimate Guide to the CGRC.