As businesses and economies become more data-driven and digitally transformed, data privacy laws expand and strengthen around the world. Exemplifying the tightening regulatory environment is Gartner’s prediction that by 2024, 75%of the world’s population will be protected by some form of data privacy law.
A more complex data privacy landscape is good news for individuals and data privacy advocates, but there’s no doubt it creates more challenges for businesses. Compliance is a complicated task that involves knowing the rules, gaining full visibility over data flows and implementing appropriate safeguards. This article takes a look at the recent evolution of data privacy laws and provides some cybersecurity tips to ensure you keep up with relevant compliance requirements.
In May 2018, the enforcement of GDPR became a reality and kick-started a quantum leap in data privacy for the digital era. Less than two years later, the state of California followed suit with the California Consumer Privacy Act (CCPA) in January 2020. These regulations applied more general data privacy protections on top of existing regulations like HIPAA and PCI DSS that protect specific types of information.
Here are some more recent and upcoming changes to data privacy that tell the story of an evolving landscape:
CPRA Goes Live
On Jan. 1, 2023, The California Privacy Rights Act came into force and introduced a slew of amendments that strengthened the existing CCPA regulatory requirements. From a compliance perspective, the new changes include better protection of highly sensitive personal data, correcting inaccurate data, conducting regular risk assessments and expressing the need to minimize data collection to what is reasonably necessary for intended purposes. All of these changes bring California’s data privacy regulations in closer alignment with GDPR, which is widely regarded as the standard in modern data privacy.
Higher Fines in Australia
An interesting development in Australia in late 2022 saw parliament approving an amendment to increase the maximum penalties under the country’s data privacy law for large-scale breaches of personal data. From a previous maximum penalty of AU$ 2.22 million, organizations now face a maximum penalty of AU$ 50 million, which is even higher than the GDPR’s maximum fine. This update to the existing rules demonstrates the fluidity of the regulatory landscape.
Data Privacy for 1.4 Billion People in India
The Indian government published a new iteration of a draft digital data privacy regulation for its 1.4 billion citizens in 2022. The proposed law has been in the pipeline for almost four years, but previous versions were deemed inadequate. The latest draft of The Digital Personal Data Protection Bill (2022) has been commended by advocacy organization CCIA as a marked improvement upon prior iterations of national privacy legislation in India. When this regulation eventually comes into force, any organization doing business in India will have an extra set of rules to think about.
A Slew of New Regulations in the U.S.
A slew of different states has started to follow in California’s wake with their own data privacy laws. Among the new regulations coming into force in 2023 are:
Expect even more states to follow suit in the coming years as people become more informed about data privacy and demand better protection.
Here are some helpful tips for keeping up with the fast-paced evolution of privacy laws and the ever-more stringent regulatory landscape
Strengthen Your Identity and Access Management
Employee user accounts remain a common entry point for intruders into networks, from which they can pivot to obtain and steal personal data. These data breaches are the source of many of the harshest compliance fines.
To get a quick compliance win and reduce the security risk from this attack vector, strengthen identity and access management with a particular focus on robust authentication. Require strong passwords and use multi-factor authentication. Additionally, make sure to revoke access rights and privileges for orphaned user accounts that are no longer associated with active users.
Map Your Data
Comprehensive data visibility is arguably the most pressing compliance challenge. In a complex ecosystem of cloud SaaS apps and high volumes of information being collected and generated daily, companies struggle to find and track all sources of personal data, whom the data is shared with and where it’s stored. Failure to map your data is almost guaranteed to leave blind spots in safeguarding that information or recording how it’s processed; both are required by various regulations.
Manual approaches to data mapping are almost guaranteed to fail due to the complexity and scale of the task. Thankfully, technology companies continue to innovate with solutions that automate data integration and classification across your most-used platforms. A single source of truth into data and its movement can save a lot of compliance hassle.
Prioritize Data Minimization
Data minimization is an important principle to implement because it limits the data you collect and retain to only what’s necessary for its disclosed and intended purpose. With a strong culture of data minimization, you’re more likely to avoid cases where data gets shared indiscriminately across your organization for purposes that weren’t specifically disclosed to users in a privacy notice.
Create a Strong Data Privacy Notice
The more transparent you are to users about what information you collect and how you plan to use it, the better the results for your compliance program. Most regulations require an external-facing privacy notice accessible to users.
A strong data privacy notice uses clear, unambiguous language, is easy to find on your website, and gets updated regularly to reflect regulatory changes. Most importantly, this notice is 100 percent transparent about what data your business collects, the purpose of its use, and the entities with whom it’s shared.
Don’t downplay the impact of staying informed. If you stay up to date on data privacy bills or amendments moving through legislation, you stand a better chance of being proactive with your compliance approach.
Of course, understanding regulatory requirements is one part of the compliance puzzle. Actually coping with today’s data-hungry threat actors and fending off their constant attempts to breach your systems and exfiltrate data is imperative, no matter what regulatory environment you operate in.
Nuspire’s cybersecurity consulting practice not only offers support to help you navigate the complexities of data privacy, but also recommend strategies and solutions to fortify your security defenses.