Privacy 2.0: Understanding Shifts in the Compliance Landscape
Table Of Contents:
The advancement of artificial intelligence (AI), connected devices and other technologies has led to a data explosion. In fact, it’s estimated that the world currently creates nearly 330 million terabytes each day.
By collecting and using this treasure trove of data, businesses can better understand and target their customers, and ultimately improve their business strategies and product offerings. However, as data collection increases, governments are taking steps to protect it through new legislation. As they do so, issues such as data transparency, portability and deletion are becoming important priorities for modern businesses, with data misuse putting them at risk of hefty fines and reputational damage.
As the technology landscape continues to evolve, data protection regulations and guidelines will change too.
Global Data Protection Law Is Changing
Over the next few months, businesses can expect to see changes to a number of global data protection regulations – including the California Consumer Privacy Act (CCPA) in the US, the General Data Protection Regulation (GDPR) in Europe, and the Personal Information Protection Law (PIPL) in China.
The California Privacy Protection Agency this month launched a dedicated website where citizens can learn more about their privacy rights. Greg Clark, director of product Management at OpenText Cybersecurity, expects the agency to continue increasing the data privacy rights of citizens through the implementation of “stricter rules on using personal data and additional duties to conduct risk assessments and cybersecurity audits”.
There are also big data privacy changes afoot in Europe. Clark predicts that lawmakers will expand GDPR so that it has “deeper roots around data protection, international data transfers and harmonising enforcement action”.
Another big change to GDPR will be the formalisation of the ePrivacy Regulation (ePR), which Clark says will help safeguard individuals’ privacy in the context of electronic communications.
European lawmakers are also pressing ahead with their AI Act. Tim Wright, partner at Fladgate LLP, believes that the new law will “significantly shape privacy guidelines and best practices for AI systems, facial recognition and digital IDs in Europe”. Best practices for these solutions will likely focus on consent, access controls and data minimisation, he adds.
Since leaving the EU, Britain is looking to move away from the GDPR by developing its own data protection regulation. King Charles outlined the government’s plans for a Data Protection and Digital Information (DPDI) Bill.
Andrew Bridges, DQ & governance manager at Sagacity, explains to ISMS.online: “The bill should introduce a clear business-friendly framework that incorporates key elements of the UK GDPR, provide organisations with greater confidence about how and when they can process personal information, and if consent is required.”
China has also developed a robust data protection regime in the form of the Personal Information Protection Law (PIPL), the Data Security Law (DS) and the Cyber Security Law (CSL). According to OpenText’s Clark, the main aim of these laws is to protect data subject rights across China.
But another intention of the Chinese government in drafting and enforcing these laws is likely to improve data flow to “aid in international data transfers, [ensure] safe use of data sharing in general and manage the entire data lifecycle from collection through to disposition”, he adds.
Enhancing User Rights
When it comes to creating new data protection laws and evolving existing legislation, governments seem to be focusing on areas such as data transparency, portability and deletion.
Where data transparency is concerned, Protegrity VP, Alasdair Anderson, explains that lawmakers are emphasising the importance of “clear, accessible information about how personal data is being used”.
There’s now a greater expectation for organisations to improve the transparency of how they handle and use data. Many organisations are taking steps such as providing privacy notices and disclosures about data collection and usage, as part of an “ongoing operational process with associated cost overhead”, explains Anderson.
He tells ISMS.online that lawmakers are also making it easier for people to move their data between service providers. This has improved interoperability among services and handed users more control over their data. Such trends may “drive a convergence in the standards for data exchange, storage and perhaps even privacy protection,” Anderson argues.
Although data transparency and portability rights have come a long way in recent times, Anderson admits that the right to data deletion remains a significant challenge for mature companies with distributed infrastructure and processes.
“Cost-effective operational execution can only be achieved by an advanced technology approach to data and privacy management,” he explains. “The alternative, which is not unheard of, is to have staff spend significant resources to try and locate user information.”
How Standards Can Help
For organisations looking to ensure continuous compliance with evolving data protection regulations and improve data security, adopting a recognised industry standard like ISO 27701 could be a good first step.
OpenText’s Clark encourages organisations to follow the standard, as it will provide them with “a baseline for enhanced data privacy”. He describes it as an extension of ISO 27001 that establishes “specific controls” for personal data protection.
“It creates a common framework that helps ensure compliance with data privacy regulations like GDPR & CCPA, mitigating the risks of managing personal data, and strengthening trust with external & internal stakeholders,” he explains.
As online security threats intensify, the implementation of ISO 27701 could also help organisations bolster cybersecurity. Clark says this is possible because ISO 27701 sets out “practices for identifying and proactively assessing risks and vulnerabilities”.
In so doing, it could help firms decrease the likelihood of financial loss, reputational damage, and downtime related to data breaches, and improve the overall efficiency of operations.
“Implementing ISO 27701 helps streamline data handling procedures and optimise resource management for data protection. It is translating to cost savings and improved operational efficiency in an organisation,” he adds.
Before adopting ISO 27701, Clark advises organisations to review the requirements set out by the standard and identify any gaps in their data practices. This will enable them to create a compliance roadmap, spot cybersecurity practice synergies, and leverage automation technologies.
Data collection has massive benefits for businesses, but without proper safeguards and policies in place, it can also represent a huge corporate risk. To use data ethically and responsibly, businesses must understand the risks involved and comply with industry regulations. What’s clear is that ISO 27701 makes this much easier.
Unlocking Success: A Guide to Implementing ISO 27701
We’ve created a practical one-page roadmap, broken down into five key focus areas, for approaching and achieving ISO 27701 in your business. There’s no form to fill in. Download the PDF today for a simple kick-starter on your journey to more effective data privacy.