April 15, 2022
How Privacy Laws Will Govern a Large Percentage of the Global Population
The strong growth in digital transformation has not gone unnoticed by governments everywhere. Individuals today are more likely to be shielded by data privacy and information security laws than ever before. For companies that provide products and services around the world, the message is clear: Governments are moving fast to strengthen privacy rules, enact new regulations and update existing data privacy regulations. Increasingly business managers are obligated to handle customer data responsibly and be able to provide consumers with rights to their personal information on demand.
While every organization must deal with privacy and information security mandates, here’s the rub. Regulations vary not only by industry—think healthcare in the U.S., where the Health Insurance Portability and Accountability Act has been law since 1996—but also by state and country. Many organizations are forced to comply with multiple, and possibly conflicting data privacy regulations from a patchwork of jurisdictions. It’s no wonder why CEOs, CTOs, and information security leaders are seeking advice for how to arm themselves for the deluge of mandates coming.
The GDPR Leads the Way
One of the best-known regulations governing data privacy is the European Union’s General Data Protection Regulation (GDPR). Enacted in 2018, the GDPR was strengthened in summer 2021 with Standard Contractual Clauses regulating the transfer of personal data from the European Union, with its population of 450 million people, to third countries such as the US and Canada. US companies must comply with the GDPR if they sell into EU countries or track EU residents online.
Many countries take reference from the GDPR when drafting their own data privacy and information security laws and typically share many common principles. China passed its first national privacy law in 2021 and major new laws or revisions to existing mandates are underway in India, Australia, and Japan, to name a few.
In the US, there is widespread agreement that a federal data privacy law is needed. But with Congress forced to prioritize broader issues, individual states are forging ahead. California, with nearly 12% of the US population, is the pioneer. The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) were approved in 2020, with a revision going into effect in 2023 having a profound impact on how any business doing business in California today collects and sells personal information. Other states are catching up with CCPA-like privacy and information security legislation, with Virginia and Colorado leading the way.
Potential Privacy and Information Security Fines
Businesses hoping to dismiss data privacy regulations do so at their own peril. In late 2021, France’s data protection authority levied fines totaling $237 million. The most common crime? Neglecting to permit French users to easily reject tracking via cookies. In China, enforcers of the country’s new Personal Data Protection Law (PDPL) plan to hand out fines of up to $7.5 million for cases they consider “serious.” Similarly, India’s forthcoming law will levy fines for noncompliance that may be as high as 4% of a company’s revenue. With the law likely to pass in 2022, it’s no wonder why companies everywhere are preparing now for data privacy regulations.
Clearly, nearly any business today must deal with compliance mandates in one form or another. As these laws become widespread, privacy and information security regulations are moving beyond the legal realm toward expected consumer rights. In a 2020 Pew Research Center study, 52% of respondents said they will not buy a product or service if they believe the privacy of their personal information is at stake. Similarly, there is a growing movement to strengthen data privacy regulations involving network access, particularly from vulnerabilities relating to remote work. According to a study commissioned by Forrester Consulting, 67% of business-impacting cyberattacks target remote workers.
What’s Here to Help
It’s safe to stay that compliance issues relating to privacy and information security are here to stay. Fortunately, there’s a growing array of data privacy software and privacy-enhancing technologies (PETs) that can help with compliance using Software as a Service (SaaS). According to analysts at G2, innovations in PETs will grow by seven times in 2022. Moreover, leading cloud platform providers like AWS offer hundreds of features and services to help streamline compliance with global privacy and information security rules.
With 62% of business leaders admitting in a 2021 KPMG survey their companies should do more to strengthen data protection measures, the time is now to act. While data privacy is complex, it is manageable unless managers wait for a breach to occur or get backed up against a firm deadline.
Gone are the days when businesses could achieve compliance by focusing on a single region or state. Working with an internal compliance team or a trusted advisor for help with strategic technology planning, teams can list the common compliance requirements across multiple jurisdictions where they do business, and then work to meet those mandates. Rather than trying to adhere to all data privacy regulations individually, organizations can focus on complying with the strictest mandates first. This can make it easier to document and prove compliance without duplicating efforts.
Practice Good Digital Hygiene
Leveraging new technologies like public and hybrid cloud architectures and placing data closer to where the end users are located are important steps. But an equally critical part is building software resiliency and engineering good digital hygiene as a first line of defense against privacy and information security breaches.
Data privacy regulations are always changing, so it’s important to stay in front of the game. Just a few best practices that are used by industry leaders include:
- Enforce minimal data collection. Avoiding an excess of data simply because it might someday prove useful may fend off a big fine further down the line. Remember it’s possible to keep useful data while deleting potentially personally identifiable information by making it anonymous.
- Develop a positive culture around compliance. Trusted partners can help businesses nurture a positive outlook around privacy and compliance that goes way beyond ticking boxes off a list.
- Own your own data, but don’t neglect consent. Few organizations doing business on the web haven’t used cookies for user tracking, but those days are nearly over. To maintain compliance with new data privacy regulations coming up, companies are quickly moving beyond browsers and toward server-side and first-party data collection systems.
Finally, and perhaps most importantly, organizations that play by the rules, do not sell their users’ data and respect privacy laws are well-positioned to strengthen their trust with customers everywhere. Being open and transparent about your compliance strategy today can go a long way toward thriving tomorrow.