Almost everyone at this point has heard about the European Union’s (EU) General Data Protection Regulation (GDPR). You’ve probably received an email from a company that you have shopped with explaining the recent changes in their privacy policy. Or, you’ve sat through a GDPR training at work, or you’re simply aware that some of the world’s largest companies with European subsidiaries need to comply with it.

GDPR went into effect in May 2018 and not only impacted businesses in the EU, but also globally. Many companies had to change the way personal information was being collected and used while simultaneously having to meet the compliance deadline.

While the GDPR was the first of its kind and seen as a gold standard in privacy protection, it is not the only data protection regulation companies need to comply with today. The GDPR’s introduction was only the beginning. In just two years, its ripple effect caused other regulators to follow with enhanced privacy regulations. Other countries ranging from Brazil to Thailand, as well as U.S. states, such as California, have enacted or are currently working to enact their own version of the GDPR framework.

These numerous privacy regulations may present challenges for companies, namely, navigating and interpreting the patchwork of rules that vary in their obligations and breach reporting requirements. Below are some challenges companies may face in light of the current privacy regulatory environment as it continues to evolve.

To learn more about best practices for keeping abreast of changes to global privacy regulations and more about Brazil’s General Data Protection Law (LGPD) and its implications, please join the upcoming webinar at 11 a.m. EDT on Oct. 22, 2020. 

Patchwork of Data Privacy Protection Laws

The GDPR’s goal is to harmonize privacy rules across the different EU member states. However, it also inspired a patchwork of privacy laws around the world. Each is slightly or significantly different, but is modeled after the same framework.

As the regulatory environment continues to evolve rapidly, companies are struggling to keep up. GDPR sets a high level of protection for individuals, ranging from strict rules for processing personal data to granting data rights to users, including the right to be forgotten. Some countries, such as Argentina and New Zealand, are in the process of amending and implementing their own enhanced versions of data protection laws. Other areas have already enacted GDPR-inspired laws, including Brazil, Thailand, South Africa, Bahrain, Israel, Dubai, Abu Dhabi and more.

In the U.S., there is currently no all-inclusive data privacy regulation at the national level. California was the first state to follow the GDPR’s example with the enactment of the California Consumer Protection Act (CCPA) in January 2020.

While companies have had a few years getting up to speed on GDPR, they are now having to turn their attention to the growing number of new data privacy regulations taking effect worldwide. They are struggling to figure out what privacy rules apply to them and sort out the various requirements among them. For example, the type of companies these laws apply to, the type of individuals they protect and how broad or specific their definition of personal information is vary among GDPR, CCPA and Brazil’s LGPD. Thus, while many of the regulations today were originally modeled after the GDPR, their scope and applicability vary.

Meeting the Growing Requirements 

Aside from figuring out which laws they must comply with, organizations may find themselves increasingly challenged to meet the growing requirements. For example, as most of these regulations are modeled after GDPR, they often adhere to its mandatory 72-hour privacy breach reporting requirement. This may mean information expectations are high and the timeline for providing the various notifications is short.

This poses a potential challenge to companies that may be subject to regulations while attempting to maintain ongoing operations. Figuring out who has been affected, how extensive the impact has been and why it occurred, coupled with notifying the relevant data protection authority of a reportable privacy breach, all within 72 hours, may pose a challenge.

Companies may find themselves scrambling and needing to change their incident response plans and internal security tools and processes to ensure strict reporting requirements can be adequately met.

Another example of a challenge companies may face is associated with the rise of data subject rights (DSR) provisions in modern privacy laws. DSR requirements have become more prevalent around the globe as more regulators expand the rights they allocate to their citizens. DSRs predominantly gained recognition with the implementation of the GDPR when many organizations first began facing a high volume of data subject access requests (DSARs).

Other companies that may not have previously been subject to DSARs under GDPR nevertheless may find themselves facing similar requirements under the CCPA, LGPD and other privacy laws. Managing DSARs is a challenge because the rights tend to vary, as do the timeframes for responding.

Constant Uncertainty about Transferring Data

Another challenge revolves around the constant uncertainty companies face regarding their ability to transfer data between the EU and the U.S. The most recent example is the judgment of the European Court of Justice invalidating the Privacy Shield, which was the transatlantic agreement used by more than 5,000 companies to transfer data between the EU and the U.S. Since this ruling, many companies have relied on standard contractual clauses found in their individual legal agreements for transfers like this. The validity of those, however, are being called into question. The court has suggested EU citizens may need additional safeguards to make sure their data is protected up to GDPR standards.

The potential repercussions if the legitimacy of standard contract clauses is invalidated could be significant for companies whose operations rely on them. Information is still being issued on what changes might be necessary to make standard contractual clauses acceptable to EU authorities. Meanwhile, companies of all sizes hope to gain some clarity and guidance as they navigate the patchwork of privacy laws.

A Proactive Approach for GDPR Compliance and Beyond

Companies have an enormous incentive to comply with new privacy laws, as the failure to do so could expose them to significant fines, penalties and reputational damage. A proactive approach can be instrumental in handling the growing number of privacy regulations and the various obligations and requirements companies may be subject to today. A good example is Brazil’s LGPD, which unexpectedly went into effect after uncertainty over its effective date and potential delay. Global companies that decided to take a more proactive approach in incorporating its requirements into their privacy frameworks should be well prepared.

Register for the webinar

More from Data Protection

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Advanced analytics can help detect insider threats rapidly

2 min read - While external cyber threats capture headlines, the rise of insider threats from within an organization is a growing concern. In 2023, the average cost of a data breach caused by an insider reached $4.90 million, 9.6% higher than the global average data breach cost of $4.45 million. To effectively combat this danger, integrating advanced analytics into data security software has become a critical and proactive defense strategy. Understanding insider threats Insider threats come from users who abuse authorized access to…

One simple way to cut ransomware recovery costs in half

4 min read - Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom. The median recovery cost for those that use backups is half the cost incurred by those that paid the ransom, according to a recent study. Similarly, the mean recovery cost is almost $1 million lower for those that used backups. Despite this fact, the use of backups is actually falling. This was one of the…