Personal Data Protection: What Does It Really Mean Today?
As digital continues to transform our lives, personal data protection has taken on a whole new meaning. With such an abundance of data and increasingly complex technologies, existing data protection laws are radically changing in many countries or even being newly established at a state level. Today, regulations are mostly “tailor made” for each respective locality and are often difficult to interpret, so meeting compliance standards can be challenging. This ever-evolving regulatory landscape begs the question: What will happen in the future?
The Root Cause of Regulatory Disruption: Technology Evolution & End User Concern
Advances in technology over the past decade have created a highly networked and interconnected world, enabling practically anybody, anywhere to access information at any time. The concern here is that companies could misuse or mishandle this data. With the invasion of privacy and increasing number of data breaches, privacy laws dating back decades, such as the Data Protection Directive in Europe, are no longer protecting individual rights. Now, new regulations are emerging to protect consumers. There are several recent developments setting the stage for the new regulatory landscape:
- Europe’s GDPR as a catalyst for change. The EU was the first to recognize the discrepancy in power over data. By implementing GDPR in May 2018, the global regulatory situation changed dramatically. Under GDPR, corporate governance is held accountable and heavily fined for data breaches and mishandling consumer data. This landmark regulation has unleashed a domino effect of further regulations, including the California Consumer Privacy Act (CCPA) in the US, which will come into effect in January 2020.
- The US’s CCPA as a continuation of change. In the US, personal data laws have been traditionally more lax, as companies have been allowed to sell any consumer information that they gather. With the introduction of CCPA, however, personal data rules are more aligned with European levels of protection. Other US states will soon be implementing or upgrading privacy legislations too. Ultimately, the US will move toward a comprehensive 50-state solution, but this could lead to disagreement on a federal level around handling 50 separate state privacy laws.
- Further developments from other countries. In many countries, data privacy rules are being updated or new rules are being developed. Many of these rules still aren’t as comprehensive as GDPR and CCPA, but this marks progress, nonetheless. Here are just some of the personal data regulatory activities occurring globally:
- Argentina has revised its data protection law issued in 2000 to more closely align with GDPR. In September 2018, a new data protection bill draft was submitted to congress.
- Brazil has consolidated its over 40 different regulations. Their data protection law (LGPD) will come into effect in August 2020, which includes parts of GDPR and puts significant compliance obligations on companies processing data or offering services in Brazil.
- China’s rules around handling personal data are undergoing significant changes. The personal data regulations in the Cybersecurity Law (CSL) from the Cyberspace Administration of China (CAC) were made concrete in June 2019, which are protected by the General Rules of the Civil Law. These rules focus on solidifying formal internal controls, such as security assessments, within an organization.
- Japan had been discussing freely transferring personal data with the EU, which went into effect in January 2019.
- Mexico’s legal framework for personal identifiable information (PII) protection is not based exclusively on international data protection laws and contains some gaps. The enforcements are expected on the state level (Mexico City issued some new laws waiting for federal government concerning data privacy accountability, for example).
- The Philippines’ National Privacy Commission (NPC) released the final regulations to register a company’s personal data processing systems by September 2017. To support business, the regulations aim to align with GDPR and Japan’s regulations, which is currently an ongoing process.
- Russia issued an amendment to personal data law #152-FZ in September 2015, restricting companies from collecting and transmitting Russian citizens’ personal data, including Russian subsidiaries of a foreign parent company. Transmitting data outside of Russia must have a predetermined purpose of processing and be documented by a Russian legal entity.
- South Africa will enact the Protection of Personal Information Act (POPIA) with an estimated compliance deadline of June 2021.
- Switzerland is adjusting its data protection law (DSGVO) to align with GDPR, keeping data traffic freely flowing between the European Economic Area (EEA). Discussions around this amendment started in 2018, but an agreement might not be reached until 2020 or even 2021.
How New Regulations are Impacting IT
Complying with data privacy regulations directly impacts companies at a business management level. Everything that goes into achieving and managing compliance, however, is largely in the remit of the IT organization.
Once a regulation is introduced, new control processes must be implemented to handle personal information to meet compliance standards, such as ensuring that consumer data is deleted within an allotted timeframe. These implementations are highly technical and complex, requiring an integrated solution to assure consistency of the analyzed IT environment, including third parties and the proprietary character of an organizational structure.
For example, we developed a personal data scanning process that was integrated with a service management platform, allowing configurable scanning over a heterogeneous database infrastructure, as well as the implementation of tracking and automatically generated issues/warnings managed by a centralized process. This comprehensive, integrated solution can enable companies to effectively manage the controls required for collecting and processing personal information.
As more countries enforce new data privacy laws and the rules become more complex, these challenges will continue to grow. The new laws and rules are still not perfect, and their impact could prompt further updates to existing regulations.
Looking Forward to Emerging Data Privacy Concerns & Preparing for the Future
It’s reasonable to expect that in 20 years’ time, today’s technology will look as antiquated as the technology of the mid-1990s looks to us now. With that in mind, it’s important to consider how emerging and future technologies will impact data privacy laws down the road. Likely, our current concept of privacy will no longer hold true. Moving forward, personal data tracking technologies like wearables, connected vehicles, streaming apps and more are expected to set the pace for further changes. Businesses should see this as an opportunity. From a legal perspective, regulations should keep the balance of fundamental human rights.
Whether your sights are focused on meeting regulatory and compliance standards now or you’re preparing for the future, the best path to take is developing an adaptable privacy compliance program. Moving forward, complying with personal data processing regulations will evolve from the technical requirements (implementing monitoring and control technologies) into a cultural initiative. Doing so can give companies a competitive advantage, ensuring that your customers, suppliers and employees are confident in how you handle their data.