Data has become a hugely valuable commodity to businesses, but as breaches become more common and privacy concerns more urgent, the regulatory risks have grown.
A raft of new laws have been brought in to protect personal data, with around three-quarters of the global population set to be covered by such rules by 2025, according to Gartner. And rule breakers risk significant fines and reputational damage, especially if they operate in heavily regulated industries such as financial services, pharma or healthcare.
With yet more legislation on the horizon, organisations will have to commit significant resources and investment to ensuring they remain compliant. So what risks are they likely to encounter, and how ready are they for what lies ahead?
Rachael Annear is a partner at law firm Freshfields Bruckhaus Deringer. She advises global companies on issues in data. Every organisation is “on its own journey” when it comes to compliance, and approaches vary widely, she says, although some do need to speed up.
“In general, heavily regulated organisations tend to be very used to governance and accountability structures, but even they sometimes need to move faster to adapt to emerging data laws and the growing regulatory focus on data governance.”
Tailoring legislation
Data regulations will vary from company to company depending on size, sector and geography. But broadly speaking regulators globally have focused on two main areas when tightening up the rules: privacy and the protection of personal data, and digital advertising practices and the intersection between personal information and so-called ad tech.
While most countries have moved to bring in new laws, the EU has led the way with the General Data Protection Regulation (GDPR), which came into effect in 2018. The legislation establishes guidelines for the collection and processing of personal data so that it is fair, limited, accurate, secure and confidential. Firms must be able to demonstrate how they keep a check on these things.
GDPR also imposes obligations on organisations wherever they are based, so long as they collect data in the EU – and the penalties can be huge. Recent examples have included a €1.2bn (£1bn) fine for Meta, €746m for Amazon and €345m for TikTok.
Since then, Annear says the bloc has complemented GDPR with an increasing number of “sector-specific laws and laws with broad regulatory impacts on the handling of data”. These include the EU’s Digital Operational Resilience Act (DORA) in the financial services sector, and its Data Act, which applies to various businesses’ handling of both personal and non-personal data.
“In terms of data protection regulation, the GDPR is often seen as a bit of a blueprint,” Annear says. “However, as privacy laws mature, we see examples of jurisdictions tailoring legislation to their own political, historical and cultural contexts.”
Geographic nuance
There is now a trend toward emulating GDPR around the world with the UK, many Middle Eastern countries, certain US states, Brazil, Canada, Australia and India all taking a similar path.
That said, any company operating internationally must be aware of geographic nuances, says Nina Bryant, head of the UK information governance, privacy and security practice at FTI Consulting.
Some countries may tighten or slacken their requirements to increase their attractiveness as a global business hub
“Some countries may tighten or slacken their requirements to increase their attractiveness as a global business hub – a factor in some of the shifting laws in countries such as the UAE and Saudi Arabia. Others may weigh national interests against individual privacy protections, which is one of many factors in the US journey toward a possible federal privacy law.”
With new legislation on AI about to be passed in the EU, the regulatory scrutiny is bound to intensify, so organisations must have robust data protection strategies that cover not only data stored within their own domains, but also that held by third-party providers in the cloud, such as software as a service (SaaS) platforms.
Complacency is not an option, and Annear stresses that each company will have to tailor its approach based on the data it is processing and the manner of processing. Firms must also keep an eye on the ever-evolving cyber risk landscape.
“There is undoubtedly a correlation between the extent to which an organisation prepares for cyber-attacks and the harm – operational, financial, reputational and legal – caused by an incident,” she says.
Crisis situations
Bryant says few companies are blind to regulatory risks, with the issue now taken much more seriously at board level. Yet while awareness and intention have improved, there are still gaps in execution.
“We see many companies struggle with tackling, and thus effectively governing, the complexity of their data environments alongside a sometimes confusing patchwork of regulatory requirements. Moreover, data breaches continue to plague companies of all sizes, and in those crisis situations, many are unsure of how to effectively and correctly investigate the breach, identify what was lost and understand their notification requirements.”
It is vital to ensure robust data protection processes are embedded across the whole organisation, she adds. This means leaders must buy into compliance and privacy as part of their company culture and values in order to establish trust with their clients or customers, setting the tone “from the top down”.
Rigorous assessment and governance of third-party providers is also critical as it remains a major area of risk exposure, and one that is likely to expand as organisations look to SaaS options for AI.
“For any SaaS deployments and third-party partnerships wherein data is transferred and/or shared, organisations must make a regular practice of assessing and auditing their providers against all applicable data protection and privacy requirements,” says Bryant.
This post was originally published on the 3rd party site mentioned in the title of this this site