October 16, 2020 By Aleksandra Popova 4 min read

Almost everyone at this point has heard about the European Union’s (EU) General Data Protection Regulation (GDPR). You’ve probably received an email from a company that you have shopped with explaining the recent changes in their privacy policy. Or, you’ve sat through a GDPR training at work, or you’re simply aware that some of the world’s largest companies with European subsidiaries need to comply with it.

GDPR went into effect in May 2018 and not only impacted businesses in the EU, but also globally. Many companies had to change the way personal information was being collected and used while simultaneously having to meet the compliance deadline.

While the GDPR was the first of its kind and seen as a gold standard in privacy protection, it is not the only data protection regulation companies need to comply with today. The GDPR’s introduction was only the beginning. In just two years, its ripple effect caused other regulators to follow with enhanced privacy regulations. Other countries ranging from Brazil to Thailand, as well as U.S. states, such as California, have enacted or are currently working to enact their own version of the GDPR framework.

These numerous privacy regulations may present challenges for companies, namely, navigating and interpreting the patchwork of rules that vary in their obligations and breach reporting requirements. Below are some challenges companies may face in light of the current privacy regulatory environment as it continues to evolve.

To learn more about best practices for keeping abreast of changes to global privacy regulations and more about Brazil’s General Data Protection Law (LGPD) and its implications, please join the upcoming webinar at 11 a.m. EDT on Oct. 22, 2020. 

Patchwork of Data Privacy Protection Laws

The GDPR’s goal is to harmonize privacy rules across the different EU member states. However, it also inspired a patchwork of privacy laws around the world. Each is slightly or significantly different, but is modeled after the same framework.

As the regulatory environment continues to evolve rapidly, companies are struggling to keep up. GDPR sets a high level of protection for individuals, ranging from strict rules for processing personal data to granting data rights to users, including the right to be forgotten. Some countries, such as Argentina and New Zealand, are in the process of amending and implementing their own enhanced versions of data protection laws. Other areas have already enacted GDPR-inspired laws, including Brazil, Thailand, South Africa, Bahrain, Israel, Dubai, Abu Dhabi and more.

In the U.S., there is currently no all-inclusive data privacy regulation at the national level. California was the first state to follow the GDPR’s example with the enactment of the California Consumer Protection Act (CCPA) in January 2020.

While companies have had a few years getting up to speed on GDPR, they are now having to turn their attention to the growing number of new data privacy regulations taking effect worldwide. They are struggling to figure out what privacy rules apply to them and sort out the various requirements among them. For example, the type of companies these laws apply to, the type of individuals they protect and how broad or specific their definition of personal information is vary among GDPR, CCPA and Brazil’s LGPD. Thus, while many of the regulations today were originally modeled after the GDPR, their scope and applicability vary.

Meeting the Growing Requirements 

Aside from figuring out which laws they must comply with, organizations may find themselves increasingly challenged to meet the growing requirements. For example, as most of these regulations are modeled after GDPR, they often adhere to its mandatory 72-hour privacy breach reporting requirement. This may mean information expectations are high and the timeline for providing the various notifications is short.

This poses a potential challenge to companies that may be subject to regulations while attempting to maintain ongoing operations. Figuring out who has been affected, how extensive the impact has been and why it occurred, coupled with notifying the relevant data protection authority of a reportable privacy breach, all within 72 hours, may pose a challenge.

Companies may find themselves scrambling and needing to change their incident response plans and internal security tools and processes to ensure strict reporting requirements can be adequately met.

Another example of a challenge companies may face is associated with the rise of data subject rights (DSR) provisions in modern privacy laws. DSR requirements have become more prevalent around the globe as more regulators expand the rights they allocate to their citizens. DSRs predominantly gained recognition with the implementation of the GDPR when many organizations first began facing a high volume of data subject access requests (DSARs).

Other companies that may not have previously been subject to DSARs under GDPR nevertheless may find themselves facing similar requirements under the CCPA, LGPD and other privacy laws. Managing DSARs is a challenge because the rights tend to vary, as do the timeframes for responding.

Constant Uncertainty about Transferring Data

Another challenge revolves around the constant uncertainty companies face regarding their ability to transfer data between the EU and the U.S. The most recent example is the judgment of the European Court of Justice invalidating the Privacy Shield, which was the transatlantic agreement used by more than 5,000 companies to transfer data between the EU and the U.S. Since this ruling, many companies have relied on standard contractual clauses found in their individual legal agreements for transfers like this. The validity of those, however, are being called into question. The court has suggested EU citizens may need additional safeguards to make sure their data is protected up to GDPR standards.

The potential repercussions if the legitimacy of standard contract clauses is invalidated could be significant for companies whose operations rely on them. Information is still being issued on what changes might be necessary to make standard contractual clauses acceptable to EU authorities. Meanwhile, companies of all sizes hope to gain some clarity and guidance as they navigate the patchwork of privacy laws.

A Proactive Approach for GDPR Compliance and Beyond

Companies have an enormous incentive to comply with new privacy laws, as the failure to do so could expose them to significant fines, penalties and reputational damage. A proactive approach can be instrumental in handling the growing number of privacy regulations and the various obligations and requirements companies may be subject to today. A good example is Brazil’s LGPD, which unexpectedly went into effect after uncertainty over its effective date and potential delay. Global companies that decided to take a more proactive approach in incorporating its requirements into their privacy frameworks should be well prepared.

Register for the webinar

More from Data Protection

How governance, risk and compliance (GRC) addresses growing data liability concerns

4 min read - In an era where businesses increasingly rely on artificial intelligence (AI) and advanced data capabilities, the effectiveness of IT services is more critical than ever. Yet despite the advancements in technology, business leaders are increasingly dissatisfied with their IT departments.According to a study by IBM's Institute for Business Value, confidence in the effectiveness of basic IT services among top executives has significantly declined. While AI promises transformational capabilities, particularly generative artificial intelligence (gen AI), the road to realizing these benefits…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Ransomware on the rise: Healthcare industry attack trends 2024

4 min read - According to the IBM Cost of a Data Breach Report 2024, the global average cost of a data breach reached $4.88 million this year, a 10% increase over 2023.For the healthcare industry, the report offers both good and bad news. The good news is that average data breach costs fell by 10.6% this year. The bad news is that for the 14th year in a row, healthcare tops the list with the most expensive breach recoveries, coming in at $9.77…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today