Post-GDPR Developments on Data Protection and Privacy Regulations Around the World November 14, 2019 Gary Marsden | Cloud Services Director More About This Author > In the modern era of a global information economy, every single day, enormous amounts of information are transmitted, stored and collected worldwide. All these transactions are made possible by the massive technological advancements in our computing and networking capabilities that have materialized in recent years. These technological advancements not only changed the landscape of our global online, social, economic and financial endeavors but also brought numerous changes in privacy and data protection laws. Businesses need to realize that there is an unavoidable move towards a global digital landscape where data and privacy protection laws and regulations will restrict the ways in which personal data can be used. Many of the new legal frameworks and regulations bring unknown future risks. With commerce being increasingly dependent on huge data exchanges, companies will find themselves between a dependence on data and the laws that restrict the use of this data, a mixture that gives rise to uncertainty and complexity. Importance of data protection and privacy laws Reviewing the negative effects of high-profile breaches and security incidents on organizations globally, it is apparent that for a digital economy to function properly, data protection and privacy is directly related to the level of commerce quality. Consumer confidence is the number one priority, and legislators must be very careful to maintain a balance between inadequate security controls and hard to implement security controls. Although many countries around the world share a common understanding of the need for individual privacy, privacy interpretations and law applicability vary. Some countries choose to interpret and protect privacy as a fundamental right, while other countries choose to include privacy protection under other constitutional doctrines. And still some countries have not yet adopted any privacy protection. The effect of these differences on organizations, individuals and international commerce is significant and adds to the complexity of privacy. Technological developments, like the adoption of cloud computing and the proliferation of the Internet of Things (IoT), are disrupting traditional business models and bring new challenges to areas such as law, communication and business development practices. It’s important that modern data protection regulation should incorporate these challenges and cater to a trust environment for all stakeholders. Common data protection and privacy principles For many international agreements, modern data protection and privacy regulations share some common principles, like the need of a data processor to have a legitimate reason for exercising any processing activity. Legitimacy is justified by means of consent from the data subject or by specific public interests dealing with national security and safety. The quality and accuracy of the Personal Identifiable Information (PII) being collected and processed is another common principle, requiring data processors to provide accurate, complete and up-to-date data. Another core principle is the importance of data security and applying appropriate security controls in order to protect it. Regulators in recent years acknowledge that while the internet is a critical infrastructure over which daily economic and social activities are carried out, at the same time it is a source of many security threats. While agreements exist between countries on these core principles, there is a lot of debate on how to best apply them. Some countries apply all these principles equally, while other countries apply different rule sets for 1) specific industries (like health); 2) types of data processors (i.e. there are special treatments on how public authorities handle PII data of citizens); or 3) types of data (i.e. how data involving children is handled). A milestone in data protection – the GDPR The General Data Protection Regulation (GDPR) came into force in May 2018 and is the EU’s answer to the need for tougher regulatory requirements regarding the governance of personal data protection. Non-compliance with the GDPR has severe financial consequences, with fines up to four percent of total global annual turnover or 20 million euros, whichever is higher. The GDPR is seen globally as a milestone in data protection regulations, as it sets a level of protection for data subjects that did not exist before. The GDPR outlines very strict rules for data processors when it comes to the processing of personal data of EU citizens, but it also grants data subjects a set of rights that gives them more control of their personal data. Regulation developments outside the EU While the EU was the first region that issued a modern data protection law, a large number of other countries are currently in the process of introducing data and privacy protection legal frameworks. The goals and interpretations of these legal frameworks differs significantly, with the result (and greatest challenge) being that businesses continue to face different data protection compliance obligations and requirements from different jurisdictions. The GDPR has influenced these new legal frameworks and jurisdictions in many ways. For example, Switzerland and Argentina are in the process of revising their local data protection laws to implement rules that will closely match the GDPR. The root cause behind matching local privacy laws with the GDPR is the need to facilitate compliance with both regulations for local businesses, and to allow the free flow of data between these countries and the EU. We have also observed a rise in jurisdictions seeking new adequacy decisions from the EU. For example, the deal between the EU and Japan, two regions with fundamentally different approaches to privacy, allows personal data to flow freely between the two economies on the basis of strong protection guarantees. Other regions that are in the process of implementing new data and privacy protection requirements include: Australia: Privacy Amendment (Notifiable Data Breaches) Act India: Personal Data Protection Bill Kingdom of Saudi Arabia: Essential Cybersecurity Controls Mexico: Data Privacy Bill South Africa: Protection of Personal Information Act (POPIA) United States— California: California Consumer Privacy Act (CCPA) and New York: New York Privacy Act (NYPA) Data localization on the rise Data localization is another trend in privacy laws, and it refers to the requirement of storing PII data locally, within a country’s jurisdiction. Data localization is different to laws that limit businesses from transferring PII data without valid protections between different countries. A data localization law requires that at least one complete copy of a data set remains in the relevant jurisdiction. A number of countries have data localization laws in place that are either limited in scope to specific industries (i.e. Germany requires telecommunications organizations to store data of communications locally) or to particular sectors (i.e. Australia requires health data to be stored locally). How can businesses fight uncertainty? Businesses must be forward-thinking and plan ahead. They should begin by identifying and addressing the biggest compliance risks they face under the GDPR and then work from there to achieve compliance within other relevant legal frameworks. Quite often this requires basic steps to be taken in terms of understanding an organizations data profile (what data is held and where) and then classifying that data in line with its importance and any privacy requirements. Compliance risks must then be categorized in order of severity and addressed accordingly. A compliance team can start working on the easier requirements, such as creating and updating privacy policies, notices and contracts with customers and partners, and then move to more complex issues. Businesses must ensure that compliance is assigned to a person or a team, and that there is a well-planned process that includes checking on progress. Finally, it is crucial to build awareness of what the local data and privacy law requirements are among staff members who process personal data so operational impact is minimized. The greatest area of future uncertainty comes not from the legal frameworks but from technology, and businesses should see this as an opportunity and not a threat. Policymakers are, in part, taking privacy and data protection more seriously because public opinion has shifted. A well-planned and executed privacy compliance program accompanied by a secure architecture of encrypted/anonymized data and well managed keys will help a business raise trust among its customers, partners and staff. This will translate into customers and partners allowing the company to continue to access and use their data, which is at the heart of doing business in today’s global digital world. To keep pace with changing data protection regulations wherever you do business, Thales can help you address compliance. To learn more about improving security and managing risk visit our compliance solutions page.