Almost everyone at this point has heard about the European Union’s (EU) General Data Protection Regulation (GDPR). You’ve probably received an email from a company that you have shopped with explaining the recent changes in their privacy policy. Or, you’ve sat through a GDPR training at work, or you’re simply aware that some of the world’s largest companies with European subsidiaries need to comply with it.

GDPR went into effect in May 2018 and not only impacted businesses in the EU, but also globally. Many companies had to change the way personal information was being collected and used while simultaneously having to meet the compliance deadline.

While the GDPR was the first of its kind and seen as a gold standard in privacy protection, it is not the only data protection regulation companies need to comply with today. The GDPR’s introduction was only the beginning. In just two years, its ripple effect caused other regulators to follow with enhanced privacy regulations. Other countries ranging from Brazil to Thailand, as well as U.S. states, such as California, have enacted or are currently working to enact their own version of the GDPR framework.

These numerous privacy regulations may present challenges for companies, namely, navigating and interpreting the patchwork of rules that vary in their obligations and breach reporting requirements. Below are some challenges companies may face in light of the current privacy regulatory environment as it continues to evolve.

To learn more about best practices for keeping abreast of changes to global privacy regulations and more about Brazil’s General Data Protection Law (LGPD) and its implications, please join the upcoming webinar at 11 a.m. EDT on Oct. 22, 2020. 

Patchwork of Data Privacy Protection Laws

The GDPR’s goal is to harmonize privacy rules across the different EU member states. However, it also inspired a patchwork of privacy laws around the world. Each is slightly or significantly different, but is modeled after the same framework.

As the regulatory environment continues to evolve rapidly, companies are struggling to keep up. GDPR sets a high level of protection for individuals, ranging from strict rules for processing personal data to granting data rights to users, including the right to be forgotten. Some countries, such as Argentina and New Zealand, are in the process of amending and implementing their own enhanced versions of data protection laws. Other areas have already enacted GDPR-inspired laws, including Brazil, Thailand, South Africa, Bahrain, Israel, Dubai, Abu Dhabi and more.

In the U.S., there is currently no all-inclusive data privacy regulation at the national level. California was the first state to follow the GDPR’s example with the enactment of the California Consumer Protection Act (CCPA) in January 2020.

While companies have had a few years getting up to speed on GDPR, they are now having to turn their attention to the growing number of new data privacy regulations taking effect worldwide. They are struggling to figure out what privacy rules apply to them and sort out the various requirements among them. For example, the type of companies these laws apply to, the type of individuals they protect and how broad or specific their definition of personal information is vary among GDPR, CCPA and Brazil’s LGPD. Thus, while many of the regulations today were originally modeled after the GDPR, their scope and applicability vary.

Meeting the Growing Requirements 

Aside from figuring out which laws they must comply with, organizations may find themselves increasingly challenged to meet the growing requirements. For example, as most of these regulations are modeled after GDPR, they often adhere to its mandatory 72-hour privacy breach reporting requirement. This may mean information expectations are high and the timeline for providing the various notifications is short.

This poses a potential challenge to companies that may be subject to regulations while attempting to maintain ongoing operations. Figuring out who has been affected, how extensive the impact has been and why it occurred, coupled with notifying the relevant data protection authority of a reportable privacy breach, all within 72 hours, may pose a challenge.

Companies may find themselves scrambling and needing to change their incident response plans and internal security tools and processes to ensure strict reporting requirements can be adequately met.

Another example of a challenge companies may face is associated with the rise of data subject rights (DSR) provisions in modern privacy laws. DSR requirements have become more prevalent around the globe as more regulators expand the rights they allocate to their citizens. DSRs predominantly gained recognition with the implementation of the GDPR when many organizations first began facing a high volume of data subject access requests (DSARs).

Other companies that may not have previously been subject to DSARs under GDPR nevertheless may find themselves facing similar requirements under the CCPA, LGPD and other privacy laws. Managing DSARs is a challenge because the rights tend to vary, as do the timeframes for responding.

Constant Uncertainty about Transferring Data

Another challenge revolves around the constant uncertainty companies face regarding their ability to transfer data between the EU and the U.S. The most recent example is the judgment of the European Court of Justice invalidating the Privacy Shield, which was the transatlantic agreement used by more than 5,000 companies to transfer data between the EU and the U.S. Since this ruling, many companies have relied on standard contractual clauses found in their individual legal agreements for transfers like this. The validity of those, however, are being called into question. The court has suggested EU citizens may need additional safeguards to make sure their data is protected up to GDPR standards.

The potential repercussions if the legitimacy of standard contract clauses is invalidated could be significant for companies whose operations rely on them. Information is still being issued on what changes might be necessary to make standard contractual clauses acceptable to EU authorities. Meanwhile, companies of all sizes hope to gain some clarity and guidance as they navigate the patchwork of privacy laws.

A Proactive Approach for GDPR Compliance and Beyond

Companies have an enormous incentive to comply with new privacy laws, as the failure to do so could expose them to significant fines, penalties and reputational damage. A proactive approach can be instrumental in handling the growing number of privacy regulations and the various obligations and requirements companies may be subject to today. A good example is Brazil’s LGPD, which unexpectedly went into effect after uncertainty over its effective date and potential delay. Global companies that decided to take a more proactive approach in incorporating its requirements into their privacy frameworks should be well prepared.

Register for the webinar

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.Understanding Attack Surface ManagementHere are some key…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor for…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…