By the close of 2023, 65% of the world’s population will have their personal data covered by modern privacy regulations, according to a recent study published by the US-based tech consultancy, Gartner, Inc.
Since the ground-breaking introduction of the General Data Protection Regulation (the “GDPR”), in 2018, we’ve seen significant national action – and intensified competition – vis-a-vis global privacy baselines.
In Asia and South America, for example, new legislation, including China’s ‘Personal Information Protection Law (PIPL)’, builds on much of the GDPR framework, in requiring that data subjects have the right to access, right to withdrawal, and right to request the deletion of their data. Yet, in some cases, also departs from the global norm – most notably, in China’s case, in being overseen by independently-operated agencies.
In the US, too, developments have been moving apace, with substantial legislative and regulatory activity. Comprehensive data privacy frameworks have already, or will very shortly, take effect in California, Virginia, Colorado, Utah, and Connecticut, and the recent Executive Order, regarding the EU-U.S. Data Privacy Framework, is also expected to be implemented in due course.
Across the pond, in Europe, this year also promises to be a busy one, with national agencies in the UK, Germany and France not only intensifying their efforts to more widely enforce existing GDPR rules, but, at a pan-European level, also preparing for the roll-out of new legislation in the form of the EU Data Governance Act (DGA), which will facilitate data access and sharing within the public sector; the EU Data Act, which enable greater transparency to data subjects by providing easy access to device-generated data; and the EU Artificial Intelligence (AI) Act, which, if carried through into law, would categorize AI applications under defined risk “areas”. There’s also the departure, at the end of 2023, of third-party cookies, which will represent a significant shift from today’s practices of targeted advertising and personalization.
Against this backdrop, its imperative businesses keep on top of, and ensure they’re compliant with, these new regulations, despite lengthy grace periods. It’s also useful for them to look beyond the vision of mere adherence, towards new opportunities and assets that may be born from this work – such as the development of better protections, in the event of a data breach; improved operational efficiency and alignment with new technologies; and reductions to sale delays.
In my role, as privacy and data protection lead at VFS Global – a company that handles sensitive personal material on behalf of millions of customers each year – I see regulatory compliance and privacy investment not only an internal barrier of defence, which is of the utmost importance for our clients, but also as an added value, which can yield bottom-line benefits for our organisation. I would encourage those with remits of data management to adopt the same viewpoint, and consider the following:
Better security
Many of the new regulations, across key markets such as the EU, require organisations to implement a minimum level of security to prevent data loss, information leaks and other unauthorised data processing operations. There is no single platform for ensuring data loss prevention in any business, large or small, so it is key to map all platforms where is handled and stored. To achieve this, and maintain a water-tight position, businesses should bring together their teams for discussion and collaboration, so that everyone knows where data resides, and how it can be correctly stored and extracted, where required. This blending can help streamline processes, between otherwise distinct – and sometimes distant teams – and can be used as a platform for discussion about future goals and how security measures should be expanded, extended and/or changed.
Reduced maintenance costs
While it is true that there is some expense to compliance, particularly from a starting position, adherence with market regulations can actually help organisations reduce costs, by prompting the retirement of any data inventory software and applications that are no longer relevant. By following a regulatory mandate, such as the GDPR, the Consumer Privacy Act (CCPA), and other major jurisdictional regulation, businesses can significantly reduce their expenditure on data storage by consolidating information currently held in silos or stored in inconsistent formats.
Improved customer confidence
One of the chief benefits, yielded from compliance with some of the newer market regulations, is the assurance this work provides to customers. Adherence illustrates a businesses’ focus on data protection, and gives consumers peace of mind that the organisation they’re dealing with has a fully-briefed data protection officer (DPO), who will undertake regular audits of data processing activities, and ensure the necessary framework is in place to keep data subjects’ personally identifiable information secure. More and more customers are demanding this of organisation that process their data.
Broader decision-making
Some of the major jurisdictional rulebooks, including the EU’s GDPR, stipulate that businesses can no longer make data changes that significantly affect an individual, based on automated decisions. In short, they mandate the right for obtain human intervention, and thereby decrease the room for arbitrary decisions.
This means the data a business holds will become more consolidated as a result of compliance, and ensures that it is easier to use, more accessible and that businesses have a greater understanding of its underlying value. This insight gives organisations the opportunity to learn more about its customers, and identify areas where customer requirements are not being met. By using customer information effectively, a compliant organisation will be able to make better decisions and, consequently, get a better return on its privacy investments.
Conclusion
With so many changes coming down the line, it’s important for DPOs, and other chief information officers with oversight of privacy and data management, consider what changes they will need to implement. Adopting upward revisions in baseline regulation, across all relevant business jurisdictions, doesn’t need to be burdensome or even a costly exercise. In the main, it is incremental change, which should be viewed beyond internal protection as a marketable asset. Compliance with the gold standard will not only offer customers greater assurances and transparency in an age of mistruths, but also bring brand benefits, and help an organisation differentiate itself from its competitors.