How Some Data Privacy Laws Could Have Implications for Data Protection
After the lightning comes the rolling thunder; that’s what’s happened with data privacy laws worldwide. The implementation of GDPR came like a lightning bolt in 2018, with the following thunder being dozens of jurisdictions worldwide considering similar laws regulating how companies handle individuals’ private data in the years since.
For multinational enterprises, some of these regional data privacy laws being debated or proposed have important implications for data protection. Let’s look at how some local privacy laws – either proposed or newly enacted - could impact how companies handle and protect customers’ data.
India’s PDPB: As originally drafted, this legislation would require companies to process and store personal data about Indian citizens on a server located in India. A provision like this would make it critical for IT teams to be able to sort through terabytes and petabytes of data across on-premises, virtual, and cloud environments to detect personal data pertaining to customers in India and ensure it’s stored and backed up on data centers in India.
Singapore’s PDPA: The law requires companies to notify authorities within three calendar days if a data breach involving personal data has occurred. This is arguably more strict than GDPR, which specifies that a breach notification should happen “without undue delay.”
Brazil’s LGPD: This law, which became fully enforceable as of August, has a specific set of criteria that companies must meet as a justification for processing individuals’ personal data. This makes it imperative for IT teams to have complete visibility into what purpose sensitive data is being used.
Canada’s CPPA: One of the most important parts of this proposed legislation is the requirement that companies keep records of customers’ consents to use their personal data, in case of an audit or if a customer makes a request to withdraw their consent.
Thailand’s PDPA: This law, which took effect June 1, allows companies to continue processing personal data on Thailand citizens they collected before June 1, if they’re using the data for the same purpose. This means IT teams need to clearly understand the exact purpose and usage of any sensitive data they’ve collected and provide the means for citizens to withdraw their consent.
Virginia’s CDPA: Like California’s CCPA, this Virginia law will add further complexity when it takes effect Jan. 1, 2023. Businesses operating in Virginia or collecting data on Virginia residents will need an effective means to correctly tag and classify data covered under CDPA so that they can avoid fines for violations such as selling or using data.
China’s PIPL: This law, which takes effect Nov. 1, requires companies to limit their use of personal data to the “minimum scope necessary” to meet the goals of handling that data, and also need to get consent from individuals to transfer their data outside of China.
Many of these regional privacy laws broadly share similar features, with important local nuances. As jurisdictions implement new privacy laws, companies will need to continue to gain better insights and visibility into how they’re using data. It’s now a business imperative to take these measures:
- Automatically classify data such as emails, social media, customer databases and other sensitive files to understand what data is covered under local laws and where that data is stored. Machine learning algorithms are capable of analyzing large volumes of dark data and using contextual information to identify personal data covered under local privacy laws.
- Map your entire data landscape so that you can easily identify important documents and files from archives to meet discovery requirements. This includes having the ability to redact sensitive content that isn’t relevant to a discovery process.
- Understand all content being stored via classification and use this understanding to determine what can be stored (avoiding highly sensitive content unless required) and to ensure that it is stored properly with adequate security.
As difficult as it may seem for enterprises to comply with so many evolving, jurisdiction-specific data privacy laws, the good news is that they’ve become a catalyst for a change in mindset. Companies are becoming smarter about what data they have and the risks involved. The end result will hopefully be fewer instances of companies suffering a data loss or experiencing a ransomware attack that puts customers’ data at risk.