New regulations can cause headaches for data management, expert tells IT Brew

Managing data privacy is Tanneasha Gordon’s job at Deloitte—and that means, in part, keeping up with changing regulations.

Gordon has been with Deloitte for over 14 years. She’s a principal with the company’s cyber risk team and leads the data and digital trust side of the business, focusing on data privacy, data protection, and digital safety.

Protection. For Gordon, a self-described sci-fi fan and fitness fanatic, the day-to-day at Deloitte involves managing the company’s responsibilities with data protection and helping to remind users of what they need to do to stay on top of things. Privacy is important: In the healthcare field, for example, access to accurate data is essential for getting work done, but due to the sensitive nature of the information, that access must be balanced with protection.

“The protection of privacy is intrinsically tied to many companies’ bottom line and the core services that they provide to consumers,” Gordon said.

On your toes. Regulatory changes often complicate that picture. Gordon told IT Brew that most regulations are telegraphed early to organizations, revolving around “12 to 14 consistent principles,” allowing them to manage compliance. Her team designs programs around those regulations with built-in controls that can be adjusted later. It’s a way of ensuring the team can pivot when needed.

“When we build this type of program, we can anticipate and flex to the regulatory environment more easily; we siphon through these regulations pretty quickly and we can adjust,” Gordon said. “The onslaught of regulations is very hard to keep up with.”

And oftentimes those regulations can have unexpected consequences. Regulations merging safety and security—as with the proposed Kids Online Safety Act that’s making its way through the Senate—put requirements in place that may end up disrupting how things are traditionally done, necessitating more changes, Gordon said.

“Not only do I need to make sure the privacy program is scalable for privacy regulation, but that there is some integration into safety teams and security teams and product development teams,” Gordon said. “That’s what adds the complexity, is when non-privacy-specific regulations are being passed that have privacy requirements or applications that we need to tie into, and how that may impact the business model or impact the product road map and how users engage with a company and their services.”