The global data regulation landscape has become increasingly complex in recent years, and businesses trading internationally must keep track of an-ever changing patchwork of rules.
2020 has seen a series of seismic shifts in the data privacy and security landscape: from the introduction and development of new regulations around the world to major political shifts, there have been several major changes that will have serious implications for any firm doing business across state and national lines.
Europe: The Brexit challenge
Businesses have had plenty of time to get to grips with the GDPR over the last two years, but the status quo is set to change again with the UK’s exit from the EU. The UK itself is set to adopt its own equivalent to existing GDPR laws, but transferring data to and from the EU may become more difficult.
From 31st January 2021, the UK will be classified as a ‘third country’ under the GDPR, and the European Commission is assessing whether the UK can still be considered a trusted location for the data of EU citizens. UK companies may have to reach their own data transfer agreements with partners in the EU to remain compliant, but the exact details will likely not emerge until the New Year.
The United States: Privacy Shield and the CCPA
In July, the EU Court of Justice invalidated the Privacy Shield agreement, derailing one of the main processes for transferring data between the EU and US. It was ruled that US law doesn’t adequately ensure protection of EU personal data, stemming from both American surveillance practices and the fact the country lacks a unified national data privacy policy.
While the Privacy Shield is broken, the court did validate and allow another mechanism for transatlantic data transfers, known as Standard Contractual Clauses (SCCs). The responsibility has also been put on data controllers to judge whether a recipient country has adequate privacy protection in place.
Businesses must reassess their vendor relationships and put in new data transfer mechanisms to replace those reliant on the defunct Privacy Shield.
On the domestic side of things, America saw the introduction of the California Consumer Privacy Act (CCPA). The regulation gives Californians powerful new GDPR-style rights for the control of their personal data, including requesting data, opting out of data collection, and suing over safeguarding issues.
It has the potential to apply to thousands of businesses in the U.S. and internationally who have customers in California. Additionally, the recent Proposition 24, which was on the ballot in California during the U.S. election, has passed. This proposition paves the way for the California Privacy Rights Act (CPRA), a new privacy law that further strengthens the safeguards applied to the use and protection of consumer data in California.
Brazil: Introducing the LGDP
In September, Brazil became the latest nation to introduce GDPR-style data regulations in the form of Lei Geral de Proteção de Dados (LGPD). The new law applies to both organizations in Brazil and non-Brazilian companies processing personal data for the purpose of offering or supplying goods and services to individuals in Brazil.
Companies that are already compliant with the GDPR should have an easy time adjusting to the LGDP as it is largely similar to the European regulation with a few small differences.
China: The upcoming PDPL
On October 21st China revealed the draft for its Personal Data Protection Law (PDPL) for public consultation. The proposed law not only introduces strict new data laws for China, but also has geopolitical implications.
The PDPL is China’s first unified nationwide data law and will implement new controls over how data is shared and managed. Going forward, any organization seeking to access Chinese user data will need to comply with strict requirements such as establishing managing bodies and completing regular risk assessments.
The regulation currently enables fines of up to RMB 50 million ($7.4 million) or up to five percent of the preceding year's revenue and can also levy smaller fines against individuals responsible for non-compliance.
The most contentious element of the draft regulation is article 32, which requires “cooperation” with Chinese security and national departments over issues of national security or criminal investigation. The article has sparked concerns that foreign companies may be required to turn customer data over to the Chinese government, which adds yet more strain to China’s fraught relationship with the US and their on-going trade disputes.
The draft regulation proposes “corresponding measures” against countries that limit the flow of data and technology investment in China, seen as a direct response to the restrictions placed on China by the US “Clean Network” initiative.
Keeping up with global regulatory developments
While organizations are faced with an increasingly complex patchwork of regulatory demands around the world, the good news is that most compliance requirements can be met with the same set of basic best practices.
Going into 2021, firms should, for example, continue revisit their data collection policies and only gather data required for business-as-usual activities, as well as ensuring that customer consent is built into data collection practices. A small data footprint will minimize the burden of management and reporting activities, as well as minimizing the likelihood and impact of security incidents.
Security also needs to be a leading priority, and companies must ensure that strong security policies are in place for any data being stored, processed or transmitted. Data must also be protected through methods such as classification, encryption and data loss prevention, as well as tools like anti-phishing, anti-malware and threat intelligence to uncover and combat cyber threats.
Finally, organizations can take things a step further by implementing Cyber Threat Intelligence (CTI) to align data on risks and threats with their cyber security framework. This will help security and compliance teams to proactively assess the organization’s risks and liabilities in different regions and ensure they remain compliant even as the landscape continues to shift.