October 16, 2020 By Aleksandra Popova 4 min read

Almost everyone at this point has heard about the European Union’s (EU) General Data Protection Regulation (GDPR). You’ve probably received an email from a company that you have shopped with explaining the recent changes in their privacy policy. Or, you’ve sat through a GDPR training at work, or you’re simply aware that some of the world’s largest companies with European subsidiaries need to comply with it.

GDPR went into effect in May 2018 and not only impacted businesses in the EU, but also globally. Many companies had to change the way personal information was being collected and used while simultaneously having to meet the compliance deadline.

While the GDPR was the first of its kind and seen as a gold standard in privacy protection, it is not the only data protection regulation companies need to comply with today. The GDPR’s introduction was only the beginning. In just two years, its ripple effect caused other regulators to follow with enhanced privacy regulations. Other countries ranging from Brazil to Thailand, as well as U.S. states, such as California, have enacted or are currently working to enact their own version of the GDPR framework.

These numerous privacy regulations may present challenges for companies, namely, navigating and interpreting the patchwork of rules that vary in their obligations and breach reporting requirements. Below are some challenges companies may face in light of the current privacy regulatory environment as it continues to evolve.

To learn more about best practices for keeping abreast of changes to global privacy regulations and more about Brazil’s General Data Protection Law (LGPD) and its implications, please join the upcoming webinar at 11 a.m. EDT on Oct. 22, 2020. 

Patchwork of Data Privacy Protection Laws

The GDPR’s goal is to harmonize privacy rules across the different EU member states. However, it also inspired a patchwork of privacy laws around the world. Each is slightly or significantly different, but is modeled after the same framework.

As the regulatory environment continues to evolve rapidly, companies are struggling to keep up. GDPR sets a high level of protection for individuals, ranging from strict rules for processing personal data to granting data rights to users, including the right to be forgotten. Some countries, such as Argentina and New Zealand, are in the process of amending and implementing their own enhanced versions of data protection laws. Other areas have already enacted GDPR-inspired laws, including Brazil, Thailand, South Africa, Bahrain, Israel, Dubai, Abu Dhabi and more.

In the U.S., there is currently no all-inclusive data privacy regulation at the national level. California was the first state to follow the GDPR’s example with the enactment of the California Consumer Protection Act (CCPA) in January 2020.

While companies have had a few years getting up to speed on GDPR, they are now having to turn their attention to the growing number of new data privacy regulations taking effect worldwide. They are struggling to figure out what privacy rules apply to them and sort out the various requirements among them. For example, the type of companies these laws apply to, the type of individuals they protect and how broad or specific their definition of personal information is vary among GDPR, CCPA and Brazil’s LGPD. Thus, while many of the regulations today were originally modeled after the GDPR, their scope and applicability vary.

Meeting the Growing Requirements 

Aside from figuring out which laws they must comply with, organizations may find themselves increasingly challenged to meet the growing requirements. For example, as most of these regulations are modeled after GDPR, they often adhere to its mandatory 72-hour privacy breach reporting requirement. This may mean information expectations are high and the timeline for providing the various notifications is short.

This poses a potential challenge to companies that may be subject to regulations while attempting to maintain ongoing operations. Figuring out who has been affected, how extensive the impact has been and why it occurred, coupled with notifying the relevant data protection authority of a reportable privacy breach, all within 72 hours, may pose a challenge.

Companies may find themselves scrambling and needing to change their incident response plans and internal security tools and processes to ensure strict reporting requirements can be adequately met.

Another example of a challenge companies may face is associated with the rise of data subject rights (DSR) provisions in modern privacy laws. DSR requirements have become more prevalent around the globe as more regulators expand the rights they allocate to their citizens. DSRs predominantly gained recognition with the implementation of the GDPR when many organizations first began facing a high volume of data subject access requests (DSARs).

Other companies that may not have previously been subject to DSARs under GDPR nevertheless may find themselves facing similar requirements under the CCPA, LGPD and other privacy laws. Managing DSARs is a challenge because the rights tend to vary, as do the timeframes for responding.

Constant Uncertainty about Transferring Data

Another challenge revolves around the constant uncertainty companies face regarding their ability to transfer data between the EU and the U.S. The most recent example is the judgment of the European Court of Justice invalidating the Privacy Shield, which was the transatlantic agreement used by more than 5,000 companies to transfer data between the EU and the U.S. Since this ruling, many companies have relied on standard contractual clauses found in their individual legal agreements for transfers like this. The validity of those, however, are being called into question. The court has suggested EU citizens may need additional safeguards to make sure their data is protected up to GDPR standards.

The potential repercussions if the legitimacy of standard contract clauses is invalidated could be significant for companies whose operations rely on them. Information is still being issued on what changes might be necessary to make standard contractual clauses acceptable to EU authorities. Meanwhile, companies of all sizes hope to gain some clarity and guidance as they navigate the patchwork of privacy laws.

A Proactive Approach for GDPR Compliance and Beyond

Companies have an enormous incentive to comply with new privacy laws, as the failure to do so could expose them to significant fines, penalties and reputational damage. A proactive approach can be instrumental in handling the growing number of privacy regulations and the various obligations and requirements companies may be subject to today. A good example is Brazil’s LGPD, which unexpectedly went into effect after uncertainty over its effective date and potential delay. Global companies that decided to take a more proactive approach in incorporating its requirements into their privacy frameworks should be well prepared.

Register for the webinar

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today