As our personal information becomes digitized and organizations push to collect more and more of it, data privacy has become a critical issue. Regulations are needed to protect the growing volume of data and a majority of nations’ governments are responding with a multitude of global data privacy laws.
The Road to Regulation
According to a new, interactive map by the United Nations Conference on Trade and Development (UNCTAD), 58 percent of the 194 UNCTAD member countries report having data protection and/or privacy legislation on the books and another 10 percent have draft legislation in the works. Unfortunately, 21 percent of countries have no legislation or anything in process.
A global map of cyberlaws, the Global Cyberlaw Tracker monitors the state of e-commerce legislation including laws over e-transactions, consumer protection, data protection/privacy, and cybercrime. It’s a helpful tool for organizations as they work to safeguard the personal information of citizens around the globe. However, it’s also a good illustration of the significant challenge organizations face in data protection compliance.
To further complicate matters for the companies that do business with Americans, there is no federal data privacy law in the United States. Instead, companies are left to interpret and comply with a growing patchwork of individual state laws — a movement now gaining momentum thanks to the California Consumer Privacy Act (CCPA) of 2018.
Is GDPR the Future of Global Data Privacy Laws?
To avoid having to comply with 50 different state laws, big tech companies are calling for a unified law similar to the European Union’s GDPR, though more so in concept than in scope. Most data privacy activists champion the regulation, however many organizations are cautious about what they ask for. GDPR is considered the world’s most stringent data protection law. Since going into effect in May of last year, nearly 60,000 data breaches have been reported but only 91 fines have been imposed to-date. According to one report by international law firm DLA Piper, the three biggest offenders so far are the Netherlands, Germany, and the United Kingdom.
Keeping up with the evolving regulatory landscape requires constant attention – just like monitoring sensitive data that is always on the move. While the world’s lawmakers scramble to keep up with escalating data privacy issues, costly fines and the court of public opinion is already underway. It’s important to understand what data you collect, where it’s shared, and how it’s protected. While many data privacy regulations are still being developed, implementing measures to align with larger privacy frameworks like GDPR can ensure your organization’s data is protected and you’re prepared for forthcoming regulations.
For more information on the global state of data privacy, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to or full Cybersecurity Insights video series on YouTube.
Hello again! Josh here from Absolute. In our last episode, we saw how the digital world has made data privacy a top priority. In this episode, we’ll look at some of the laws designed to protect data privacy.
The most obvious place to start is with the General Data Protection Regulation (GDPR) which is fashioned as a statement of rights, including:
-The right to rectify
-The right to be forgotten
-And the right to civil action
Rectify simply means when someone requests a change details of her digital self, you must find every place her data could be so that you can rectify the information and comply with GDPR.
The right to be forgotten is also key, a person’s digital identity to be purged; in legal jargon this is called the ‘right to erasure’.
Once again, we need to find it, which means we need to probe every endpoint to discover where the data is so that we can remove it.
Finally, the GDPR guarantees the right to sue for damages when personal data is misused or left unprotected.
Okay… well, now we have to demonstrate safeguards are active, up-to-date, and working effectively,
It’s the only way to prove your innocence and avoid a fine, which can be as high as 4% of your organization’s annual revenue.
Fumbling on data privacy is a costly mistake.
What about outside Europe?
In the US, we find laws like HIPAA (for health information) and S-P and S-ID statutes for personal financial information, enforced by the SEC. But no national privacy standard.
In the meantime, we need to follow state laws like CCPA in California. Some have called CCPA, ‘GDPR-lite’. But that’s only for the penalty amounts. CCPA imposes more restrictions, demands faster reporting and tighter controls than GDPR. If it’s true as they say, ‘As California goes, so goes the country’, then we can expect the US to end up with more stringent standards than the EU.
Then, we come to PIPEDA, Canada’s newly refreshed hammer for privacy. Not only is reporting unauthorized access required (like GDPR), but even if the safeguards – anti-virus, encryption, security agents – have broken, regardless if the attacker was successful.
Wait! You have to prove your security posture was airtight when incident happened, not just if data was stolen? Yep, that’s what we’re sayin'(eh)!
Data Privacy is today’s great challenge for IT and security teams, and with 35% of sensitive data on out-of-sight on endpoints, there has never been a stronger need for persistent endpoint visibility and control.
Next time we will explore the steps you can take to ensure data remains private. Be sure to subscribe and drop your comments below, I’ll see you then.