In this podcast we look at the year ahead in 2024 with Mathieu Gorge, CEO of Vigitrust.
We talk about upcoming updates, and changes to law and regulation such as in PCI, NIST, EU data protection regulations, post-Brexit divergence between the UK’s ICO and Europe, increasing global traction for DORA, and 60 major elections across the world.
Gorge also talks about what such changeable prospects mean for enterprise data protection and the core role of auditing and understanding corporate data, where it is held and the risks to which it is exposed.
Antony Adshead: What are the key developments in law and regulation that will affect IT in 2024?
Mathieu Gorge: I think 2024 is going to be a super-busy year from the regulatory perspective.
We have PCI 4.0 coming into effect this year. We are seeing a number of updates to European data protection regulations within the member states that go beyond the requirements of GDPR.
More importantly, I think we are seeing the ICO – the Information Commissioner’s Office in the UK – taking a very different direction from the rest of the European countries. The UK left the EU, so the ICO no longer reports to the EU data protection board.
What that means is they can go their own direction if they want, and one of the worries here is that adequacy between UK GDPR and the rest of the EU might not last until 2025 as it was supposed to. And that’s something to keep in mind not just for UK-based businesses, but for anyone doing business and exchanging data with the UK.
Another thing to bear in mind is DORA – the Digital Operational Resilience Act – that’s getting a lot of traction right now throughout the world and impacts not just European companies, but global companies. And as well as that, the advent of NIS2 [the EU Network and Information Security Directive].
In addition, to make things a bit more spicy, we have roughly 60 major elections coming up, including seven of the most populated countries in the world, notwithstanding the main one, I suppose: the US.
We know that every time governments change, their approach to data protection, their approach to cloud security, to how often you need to be audited or assessed, how long you need to keep the data, it can change, and most times there are some notable changes in terms of enforcement – not necessarily in terms of the regulation itself, but how it is enforced.
I think we need to be very careful in 2024 in terms of where we do business, understand where we have data, where we store data, and try to understand the potential impact of those changes for our environment.
It’s going to be interesting for the next few months. I suppose the consequences are going to go far beyond 2024, but now is the time to do a table-top exercise to see where you keep data, where you transfer data to and from, and whether you might be compliant in cloud, storage and data protection.
Adshead: How – specifically – will these impact storage, backup and data protection in the coming period?
Gorge: Again, I think you need to understand your environment. You need to understand the type of data you are taking, that you are processing, storing or transmitting, where you take it from, where you send it to, the type of cloud providers that you use.
You will have noticed more and more that when you get a new client, they ask are you ISO 27001 tested, are you CMMC compliant [Cybersecurity Maturity Model Certification] in the US, are you looking at the [CSA Cloud Controls Matrix], are you including anything that might have to do with AI and the impact of AI on how you collect and create data?
So, January is always a good time to go back to basics, to map out your business environment of data that you collect, that you create, that you store, and understand the various regulations and standards that apply.
Generally speaking, anything that is ISO-based or NIST-based will certainly help you manage your cloud environments and manage the compliance efforts you need to put into place.
The next thing is to use the right tools. Maybe use a governance, risk compliance tool, cloud storage management tools, data identification tools, and encryption tools.
There’s no shortage of tools, but there’s no point looking at tools until you understand your environment and you understand what you need to protect and how to protect it, what you need to keep and what you cannot keep.
Now is a good time to go back to basics, map out your environment, do a data classification exercise, and then try to map the various compliance requirements around storage, security, cloud and data protection that apply to your data.