Navigating the New World of Global Data Regulation June 6, 2017 Alan Kessler | President and CEO More About This Author > In the ongoing shift to digital that continues to reshape – if not disrupt – industry after industry, data remains front and center as the most valuable business asset. Organizations are creating, sharing and storing data at an unprecedented level. However, along with the potential for insight and innovation also comes enormous responsibility; to quote Voltaire (or Spiderman), “with great power comes great responsibility.” Businesses are entrusted by their customers to keep their data safe, and those who operate globally face a complex patchwork of data protection policies. Examining the Hodgepodge of Global Data Regulations In the news recently, it’s been reported that Facebook is facing significant fines from the European Union and rulings against the company by French and Dutch privacy watchdogs for breaking data protection rules. In a nutshell, Facebook ran afoul after going back on its word that it would not combine its own user data with that of WhatsApp – the company it acquired along with the app’s billion users. European regulators decided the data merging would give Facebook an unfair advantage over would-be competitors. This news highlights the steep learning curve that many U.S. companies face when bringing their products and services from the relatively relaxed regulatory atmosphere of the U.S. into stricter markets around the globe. In Europe, for example, a new legal framework known as the General Data Protection Regulation, or GDPR, is set to go into effect in May 2018. The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations approach data privacy. Unfortunately, there is currently an awareness gap around the fact that GDPR will impact every business offering goods or services to EU citizens, regardless of where the company is headquartered. Although GDPR won’t go into effect until 2018, this will be an important year for organizations as they prepare for compliance. For a closer look at why businesses need to begin preparations for the GDPR now, I recommend reading my colleague Peter Carlisle’s recent blog post. Other countries such as Australia have recently revised their data protection regulations. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the Australian Parliament on February 13, 2017. However, this legislation has been in the works for quite some time now. The bill is primarily focused on data breach disclosure, and will provide Australians with greater clarity about the privacy of their personal information. China too is in the process of rolling out new cybersecurity regulations and an overarching data protection framework of its own. The new law requires that companies store their data within China, and imposes security checks on companies in sectors such as finance and communications. Although the new regulations aim to strengthen the cybersecurity posture of Chinese companies, data residency laws such as this continue to cause headaches for multi-national businesses and governments handling personal data. Because there are no internationally agreed laws around data sovereignty, enterprises – which commonly leverage cloud providers and data centers all over the world – are often left facing many unanswered questions. For a deeper dive into the data residency conundrum, check out my blog post on the international use of personal data. The Trust Equation: What People Expect When It Comes to Data Security With such varying regulatory frameworks in place across the globe, individuals have similarly varied perspectives on data privacy. Countries and their citizens perceive and address privacy concerns quite differently from one another, owing largely to cultural and political differences that have shaped their view of privacy. Americans, for example, fear they have lost control of their personal information. Many worry whether government agencies and major corporations can truly protect the customer data they collect. In fact, according to recent research from the Pew Research Center, roughly half of Americans do not trust the federal government or social media sites to protect their data. European countries, which have more robust data privacy regulations in place and forthcoming, have slightly different perceptions on privacy and control over personal data. A recent European Commission report found that almost all Europeans say they expect to be informed should their data ever be lost or stolen. Additionally, most Europeans were reportedly uncomfortable about internet companies using information on their online activity to tailor advertisements. The GDPR only stands to improve the public’s perception that their online privacy and security is being prioritized, whereas the patchwork of regulations in the U.S. may continue to have a negative impact on consumer trust. Organizations depend on trust. In today’s global business environment, it’s clear that organizations must adopt new approaches to secure their digital assets. Protecting the digital enterprise is more than protection from cyberthreats, it also includes the confidentiality, integrity and availability of data. While no organization is immune to the threat of security breaches, implementing data encryption with strong access control is a major safeguard that will protect information assets and an organization’s reputation. Underscoring the value of encryption in maintaining the privacy of sensitive data, many of the data protection regulations in place today call for the use of strong encryption. These types of preventative regulatory frameworks are the new reality for global organizations. One can only hope they will have a positive effect on how societies perceive data privacy and better establish trust in organizations processing personal information. Encryption: Human Right and Business Necessity To date, compliance remains the number one driver for enterprise encryption strategies. That’s according to the 2017 Thales Data Threat Report, which found that almost half (44 percent) of global enterprise organizations list meeting compliance requirements as their top spending priority. However, it’s important to recognize that it’s no longer enough to just check off compliance boxes. Cyberattacks change daily and hourly, but compliance regimes take many months and years to update. This leaves compliance mandates requiring organizations to use protection methods that attackers may have already circumvented. Compliance is certainly a good starting point, but it is not a foolproof strategy for protecting sensitive data. For individuals, encryption has also come to the forefront as a core element in data privacy and protection. In 2016, Amnesty International released a report calling encryption an important enabler of human rights, highlighting that “encryption is a basic prerequisite for privacy and free speech in the digital age.” As lawmakers and regulators across the globe are strengthening existing data security compliance requirements and defining new regulations to respond to increasing threats, it’s encouraging that both organizations and individuals are waking up to the growing need for encryption to protect the data itself rather than perimeter security approaches. Data privacy is now of paramount importance for businesses wanting to keep valuable data – both their own sensitive data and that of their customers – out of the hands of malicious actors, and prevent their brand from becoming tomorrow’s negative headline. Do you have questions about how your organization can confidently face industry and government compliance standards? Take a look at how Thales can help you meet the toughest data protection and compliance challenges. And of course, feel free to leave a comment below or tweet me @kessalan to learn more.