By the end of 2024, 75% of the world’s population will have all its personal data protected by privacy regulations, according to Gartner. “The regulatory evolution has been the dominant catalyst for the operationalization of privacy,” explains Nader Hemelin, VP Analyst at Gartner.
Since most organizations do not have a dedicated privacy practice, these requirements usually fall under the CISO’s remit. With the increase in privacy regulations across numerous jurisdictions expected, Gartner recommends that enterprises start a privacy program to cope with the compliance deluge. Data governance is the main building block for privacy programs. Frameworks will vary across enterprises but needs to spotlight the regulatory demands across various countries and regions.
Staying one step ahead of data compliance regulations
As one regulation is passed, so another one is tweaked. Take, for example, the recent twist in the Privacy Shield Framework. In October, U.S. President Joe Biden signed an Executive Order designed to lay the foundations for a new EU/U.S. data privacy framework dubbed Privacy Shield 2.0. Following months of negotiations, it is hoped that Privacy Shield 2.0 will define a legal way for personal data to flow between the U.S. and Europe that version 1.0 failed to do.
The Executive Order is a directive, not a law, and has now been submitted to a ratification process by the European Commission. There is no knowing how long this will take as it will hit legal challenges in Europe. Max Scherms, Austrian activist and lawyer responsible for the Schrems II ruling broke Privacy Shield 1.0, has already said he is not impressed. He says it does not go far enough in protecting the privacy of EU citizens as there is no course of petition to the U.S. government if they feel their data has been wrongly used. He will return to the European Court of Justice (CJEU) to fight it.
If Privacy Shield 2.0 cannot be agreed upon, all organizations must comply with the new Standard Contractual Clauses (SCCs) as part of Schrems II by December 27, 2022. It is designed to ensure compliance with data protection laws for organizations doing business in the EU and for international transfers.
Conquering the regulatory jungle
Schrems II reflects global changing data regulation that multinationals have to grapple with. The much-anticipated China Personal Information Protection Law was passed in August 2021. It mainly regulates how personal data is collected, shared and transferred abroad by companies operating in the People’s Republic of China. Brazil passed a legal framework to regulate the collection and use of personal data that came into effect in 2020. South Africa has established a robust data privacy law in the form of the Protection of Personal Information Act (POPIA). Organizations had until July 2021 to comply. Bahrain has the Personal Data Protection Law (PPDPL), modeled on European data protection laws. And so, the list goes on.
Processing data is no longer as easy as it sounds
As you can see, compliance with data transfer regulations is becoming extremely complex. Many businesses are looking very closely at data protection regimes before expanding into new markets. Some have been stung and exasperated by data regulations and have closed operations.
LinkedIn, for example, closed the virtual doors of its professional networking service in China last year, citing “a significantly more challenging operating environment and greater compliance requirements.” LinkedIn, owned by Microsoft, has instead released a standalone job app that does not include a social feed or the ability to share posts or articles. More recently, there has been much activity around Google Analytics due to actions taken by noyb, a European privacy campaign group founded by Max Schrems. In a groundbreaking decision, the Austrian data protection authority ruled that the continuous use of Google Analytics violates GDPR.
Six steps
With data transfer and localization regulations becoming a minefield, enterprises can take the following steps to prepare for any compliance alternations in their operating regions.
1. Discover which data sets are in the organization, so you know what data you have, where it is stored, and who has access to it. Once you have located your data assets, identify which ones are business critical and which are not. Secure and allow access accordingly.
2. Run regular data compliance audits to put your organization’s adherence to regulatory guidelines under the microscope. Audit reports will evaluate the robustness and comprehensiveness of your compliance preparations and user access controls, for example.
3. Encryption is one of the essential tools enterprises have to protect their data. Use encryption to protect your data from unauthorized access. If malevolent actors get inside our network, for example, they cannot access your critical business data without a decryption key, protecting data from being compromised.
4. Ensure staff are educated about the importance of data compliance and security. Make it part of your onboarding for new recruits. It is impossible to fully implement data protection policies if staff do not understand them.
5. Use compliance automation where possible, eliminating human error and streamlining compliance and data retrieval. Compliance automation solutions track all compliance activity in one place, from regulations and contracts to policies, for example, this can massively alleviate the burden of preparing for an audit.
6. Consider using a European sovereign cloud that can accelerate digital initiatives in an enterprise by removing complex compliance issues and ensuring you meet operational, data and software sovereignty requirements.
Data is the fuel for digital business. As well as protecting it, find out how you can get more value from it to better understand your markets here.
Jan has been writing about technology for over 22 years for magazines and web sites, including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.