This post is part of a sponsored ComplyTrust® blog post series. To learn more about ComplyTrust®, please visit complytrust.com.
The 28th of January is Data Privacy Day, a day created to increase awareness about the problematics and opportunities around data privacy. Have you heard about it? Whether you did or not, Data Privacy Day is an excellent and needed reminder about this topic: in our digital era, we communicate every day to interact with individuals, companies, and governments. And very often, our personal data is collected, processed, and stored during these interactions.
Because of past misuse of personal information, data breaches leading to potential serious consequences and lack of guidelines, governments have introduced legislations to protect data privacy and ensure citizens’ rights are respected.
Furthermore, Data Privacy Day is important not only for individuals, but also for organizations which must comply with a broadening spectrum of regulations, both national and international. These have a direct impact on how data is processed and stored, and therefore also impact application design and data storage.
FY22 Regulatory Updates
This year will see the introduction of new state-level privacy laws in the USA, and new international regulations as well, of which we provide a (hopefully) condensed overview.
In the United States, new laws in California (CPRA, California Privacy Rights Act), Colorado, and Virginia are coming into force within 18 months, and at least six more states are preparing their own data privacy laws. Unfortunately, discussions around creating a federal-level law or framework are proceeding very slowly.
In Europe, a flurry of new regulations should be implemented within 2022. Several acts (Digital Services Act, Digital Markets Act, Data Governance Act, e-Privacy Regulation, Network and Information Security Directive) will complement GDPR and impact various among which digital services / platforms, online marketing, data brokers, and more. Worth noting, the Data Act will expand cross-border data transfer restrictions to non-personal data. If it wasn’t enough, EU country courts are fast-pacing GDPR enforcement, with several high-profile cases including Amazon, Meta (Facebook and WhatsApp) in 2021, a steep increase in terms of fines compared to the previous years. Lastly, the Schrems II judgement continues to create ripples, not only around US-EU Privacy Shield laws, but also around new topics such as GDPR violations when some organizations use Google Analytics and transfer data outside the EU.
The Indo-Pacific area is also active with two major privacy laws: China’s PIPL (Personal Information Privacy Law), introduced at the end of 2021, and India’s Personal Data Protection Bill, expected to enter in force this year. Among these, PIPL has been the most controversial due to its extraterritoriality, applying to global corporations which do business with China.
Steps to achieve Compliance (FMY)
Achieving compliance requires adequate planning and mapping. Earlier in 2021, we provided a guideline centered about how to develop a data compliance program. The approach and steps still hold true, with the necessity to discover, classify, evaluate & implement, monitor & enforce, as well as improving our insights around data and classification requirements.
Furthermore, in a dynamic and increasingly complex labyrinth of regulations, automated discovery, classification, and request handling are critical capabilities. Organizations cannot afford to maintain large compliance teams dedicated to data privacy regulation enforcement, nor can all of them divert scarce and costly development resources to build in-house data e-Privacy and Compliance solutions.
Instead, they will rely on data management software that either interfaces with core IT systems such as CRMs (for example SalesForce), or that can scan large structured and unstructured data sets, including backup and archive data.
These solutions should be capable of handling Data Subject Access Requests (DSARs), but also handle Right-to-be-Forgotten (RtbF) and Right-of-Erasure (RoE) requests, and most importantly to prevent accidental re-enrollment of personally identifiable information (PII) after an RtbF / RoE request has been submitted and processed.
Data Privacy Opportunities in 2022
Data Privacy Day remains an important instrument to strengthen public awareness around data privacy issues. It gives additional leverage to Governance & Compliance functions within organizations to foster a corporate culture which nurtures responsible and ethical handling of personally identifiable information, while also respecting the rights of consumers.
Changing the perception of stakeholders is important, but organizations also need to be empowered with the right instruments to go beyond wishful thinking. Thankfully, several platforms and tools can help achieve those results: Data Protection as a Service solutions are now incorporating privacy-related compliance features; dedicated data management platforms provide a single pane of glass to create customized policies or pre-configured data privacy policies, assess overall state, create ad-hoc queries, generate regulatory-compliant reports, and in some cases even handle the entire DSAR process while maintaining audit logs as tangible proof of action.
An interesting side effect of the regulatory pressure around data privacy is the gradual convergence between that topic and data security. A point will be eventually reached where data privacy capabilities will become an integral part of a solution’s data security posture. Although the impact cannot be fully assessed, features could for example be related to data residency and cross-country data transfer restrictions, obfuscation of PII for non-entitled users, and much more.
Data Privacy Day reminds us of the importance of securing personally identifiable information, the necessity of protecting customer data, and the need to rebuild trust between citizens and organizations.
For citizens, the same recommendations apply year over year and rotate around adequate data protection: using password managers, enabling multi-factor authentication, and remaining vigilant can mitigate data leak risks. Actively using privacy controls on devices, apps and website is also recommended, but more education around trade-offs between privacy and convenience is needed to make the best choices.
For organizations, data privacy day is every single day in the year. The challenges are already massive, and in 2022 they should plan for increased regulatory complexity. Those conducting international business are prone to be impacted by new laws in Asia, a throng of upcoming EU regulations, and uncertainty around the current regulatory framework (GDPR and Schrems II judgement blast radius), particularly due to conflicting interpretations of regulations. But those sticking to the US market will not be spared either: the lack of federal regulations and the inability to achieve political consensus in congress causes states to introduce their own privacy laws. While this is a net positive for consumers, the proliferation of such laws (with a final hypothetical landscape of 50 different privacy laws) can end up doing more harm than good.