Elliot Rose, head of cyber security at PA Consulting, discusses GDPR compliance and US data privacy updates with SC Magazine.
The article notes that we are approaching the one-year anniversary of the European Union’s General Data Protection Regulation (GDPR) launch and, so far, most companies have been spared the worst the new law has to offer. Companies’ reactions are varied depending on their exposure. EU-based companies have little choice but to have their houses already in order, many already were somewhat compliant due to existing EU regulations. Companies outside of the EU that do business with EU citizens or with little presence on the continent have a choice: They can wait and see what happens as the GDPR winds its way through the courts and then decide if the cost of compliance is worth it or, as some already have, pull out of the EU market all together. Or, of course, they can take their chances that they will be just a tree in the forest, invisible to the regulators so long as they have no serious breaches. That approach potentially has serious flaws. Given that data privacy regulations are gaining steam all over the globe, neither of these options is considered a best practice by those advising firms about GDPR compliance.
And new regulations are on the way. The State of California, for example, passed a set of data privacy regulations in 2018, the California Consumer Protection Act (CCPA), which goes into effect on January 1, 2020. We may also see action at the Federal level to further strengthen personal data privacy.
Elliot says that California’s law is even more restrictive in some areas than the GDPR.
California is not alone in passing some sort of privacy law. More than 20 states have internet-related privacy laws about use of government websites, children’s data, email monitoring and access, or false and misleading privacy policies.
Nearly a quarter of the world’s countries, 45 of the 195 recognized by the United Nations, currently have laws regulating how personal data can be used and more are coming. Brazil recently enacted a data privacy law based on the GDPR. India drafted a similar measure in 2018.
Elliot adds: “China has stepped into the ring as well so all kinds of players around the world are getting involved.”
Now, companies of all sizes will have to begin safeguarding personal data in ways that will be new and burdensome for many, but not without precedent. In the U.S., both the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) present stringent personal data protections for companies in the healthcare and financial services sectors, respectively. Regulators such as the Federal Trade Commission (FTC) also hold companies to account for data privacy violations. So there are best practices and road maps to follow for understanding how to go about setting up a rigorous compliance practice in your organization.
Most companies are taking a proactive approach to dealing with the new realities of personal data protection. But, because many of the fines to date have been nominal compared to what they could have been, there are some companies that are waiting to see what the supervisory authorities in each EU member country are going to do. The prevailing wisdom is fines will be going up as regulatory actions play out.
Elliot adds: “The fines are really low. That’s what a lot of companies are waiting to see; if the ICO (Information Commissioner’s Office) will up the fines. Organizations are just waiting a little bit. But, if the fines are significant, it will drive a second wave of activity around GDPR.” The ICO is the UK’s supervisory authority.
He continues: “While the fines are being leveled by the ICO there is the provision for civil damages so we might see a few of the law firms, they may start to think there may be some revenue in this around the big data breeches.”
A global movement towards increased data privacy is changing the way companies do business. Are you ready for the new era of data privacy?