Shifting Global Data Protection Regulations Create Uncertainty for Businesses
October 2020 by IntSights
Privacy Shield, a popular mechanism allowing US companies to transfer and store EU personal data, is down and out. A draft of China’s controversial new data privacy law is in. The UK is out of the EU, which impacts GDPR. Brazil’s new data protection plan is officially in. And Californians vote in November to toughen the nation’s strictest data protection rules. Confused?
For any business that collects personal data on its customers and does business across state or national boundaries, the regulatory landscape can be a dizzying patchwork, in which the rules are different everywhere and are constantly changing.
To help clarify and explain the current state of data privacy regulations around the globe, here are some of the latest developments relative to China, the US, Europe, and South America.
Brexit and the European Union
Let’s start with the European Union, which pioneered strict data privacy protections. The General Data Protection Regulation (GDPR) was adopted in 2016 and started enforcement in May 2018. It gave individuals control over how organizations collect, transfer, and store their personal data. Citizens can ask that their data be deleted or, if there is an error, that it be corrected. The UK’s withdrawal from the EU has thrown the rules for data transfer between UK and EU into question, and, as of today, there is no clear answer on how existing data use and transfer agreements will be handled.
The current transition period, during which GDPR rules still apply in the UK, expires at the end of January, and negotiations are underway to reach a permanent agreement. The most likely, but certainly not guaranteed, outcome is that the UK will simply adopt its own version of GDPR. But organizations should also prepare contingency plans in case no agreement is reached and companies need to implement their own data transfer arrangements to satisfy GDPR requirements.
Privacy Shield and the United States
Organizations on both sides of the Atlantic must now review their network of vendor relationships to check which are reliant on Privacy Shield, and then put a new data transfer mechanism in place, most likely SCCs.
In the absence of a national strategy, California has taken the lead and adopted strict GDPR-like data protection regulations. Several other states have adopted similar regulations, and more are expected to follow suit. So the smart move for companies collecting or storing customer data in the US is to make sure that data protection and information privacy policies comply with California’s rules as a baseline.
A further strengthening of the California Consumer Privacy Act (CCPA) is on the ballot this November. The current regulation, which went into effect on January 1, 2020, enables Californians to find out what personal information a business is collecting and gives consumers the ability to opt out of the sale of their personal information. Residents can also sue companies that don’t safeguard their personal data. Proposition 24 would also allow Californians to opt out of data collection entirely.
On September 18, President Jair Bolsonaro signed the Brazilian General Data Protection Law, Lei Geral de Proteção de Dados (LGPD), which applies to organizations in Brazil as well as non-Brazilian companies that process personal data for the purpose of offering or supplying goods and services to individuals in Brazil. With some minor variations, LGPD aligns closely with GDPR, so companies that are GDPR compliant should have a better chance of meeting the requirements of the LGPD.
China has issued a draft of probably the most consequential and provocative data protection regulation due to the fact that it includes practices and standards that scrutinize not only personal data use but also surveillance. Added to the possible contention of the draft is the current trade dispute between the US and China.
On the surface, China’s comprehensive new regulations are long overdue. China has been behind the curve when it comes to adopting GDPR-style data protection rules. Instead, China was operating under a patchwork of multiple regulations.
The new law would tighten regulations for accessing and sharing data, create new management responsibilities for data entities, and promote the use of government data. Entities that require access to Chinese user data will need to comply with strict new data security requirements, such as establishing managing bodies and completing regular risk assessments.
Current measures that counter the Chinese regulation in an attempt to protect personal information, such as the US “Clean Network” initiative, which imposes tough restrictions on Chinese hardware and software vendors, have further agitated the environment. In response to US measures, China’s draft regulation promises “corresponding measures” against countries that limit data flows and technology investment into China.
Article 32 of the draft regulation states: “Where public security departments and national departments need to consult data in order to lawfully safeguard national security and investigate a crime…relevant organizations and individuals shall grant cooperation.” The concern is that the regulations could require non-Chinese/foreign companies to turn over customer data to the Chinese government.
How Can Businesses Comply with the Global Spectrum of Regulations? No matter which jurisdiction a company falls under, there are best practices that all companies should follow in order to protect customer data.
For example, companies should practice minimal data collection – in other words, only collect the data you need in order to conduct business-as-usual activities. A good understanding of the BAUs will enable a company to limit the data required to conduct business. Companies should also build customer consent into any data collection activities.
It is vital that companies enforce a strict security policy on any data they store, process, or transmit. Organizations should make every effort to protect data through data classification, encryption, and data loss prevention. Those security measures should be undertaken across on-premises and cloud environments. In addition to traditional reactive security tools like anti-virus, organizations should also deploy newer, more sophisticated approaches, such as threat intelligence and attack surface analysis, to fully understand their data threat exposure.
Education is also important; this includes anti-phishing and data hygiene training for employees, as well as education for customers about security and privacy. Companies should extend security and privacy policies across the entire vendor ecosystem of third parties, contractors and consultants. Cyber Threat Intelligence and Data Privacy Adhering to varying data privacy regulations in different geographies can make any security or compliance practitioner’s head spin. Cyber Threat Intelligence (CTI) can empower these teams to proactively assess their organization’s risk and liabilities and help them avoid falling out of compliance.
CTI can be deployed in order to align threat intelligence with an organization’s cybersecurity framework. A good CTI solution can measure compliance with regulatory requirements and it can align with global privacy laws and regulations, ensuring security stacks can handle the rigor of current and forthcoming requirements. To learn how the IntSights External Threat Protection (ETP) Suite provides solutions that help security and compliance teams achieve these goals, click here.