Data Protection and Privacy Regulations - Impact on Business

Introduction

In today’s age the biggest asset an enterprise holds, be it a Brick and Mortar company, a Digital Commerce provider, a Cloud Service provider, a Telco, an FMCG or even a Government is the Data of its customers and constituents. As Clive Humby, a British mathematician famously said: “Data is the new oil.” While new immensely lucrative business models have rapidly evolved around Data and completely revolutionized how we do business and even Governments have also evolved how they provide services to their constituents; at the same time serious concerns have been raised around security and privacy. Concerns are also increasingly raised on the enormous power wielded by the Big Tech GAFA (Google Amazon Facebook Apple) or China’s Alibaba on today’s world economy which is due to their dominance and control of the data economy. Today every action of ours’ generates enormous amounts of data and personal data is used to cater to the needs of the individual; whereas large collective and anonymized datasets are used by AI, Machine Learning and Data Analytics systems to generate rich insights which can be used to cater to the societal needs or for more sinister purposes like controlling and maneuvering the public opinion (like the Russians did as claimed by the US President Trump).

Data Privacy Regulations

There certainly is a need for government oversight and regulation on how data is gathered and handled so that this asset can benefit our society while at the same time protecting the individuals. To achieve this objective almost all jurisdictions, have laws and regulatory frameworks in place addressing data privacy and protection. European Union had the Data Protection Directive (DPD) since 1995 on the protection of individuals with regard to the handling and processing of personal data. DPD was complemented by other national laws promulgated by member states; e.g.; Data Protection Act (DPA) in the UK, the Netherlands, and Spain. Jurisdictions like Australia, Dubai, Hong Kong, Japan, and Singapore have Australia's Notification Law (ANL), Dubai Data Law (DDL), Personal Data Privacy Ordinance (PDPO), Act on the Protection of Personal Information (APPI) and Personal Data Protection Act (PDPA) respectively. China has had a set of laws with far-reaching implications governing Data Privacy and Data Security. The successor of these laws and regulations in China is the Cyber-Security Law (CSL) which has been in force since June 2017 and it regulates not only enterprise data security but also online speech and censures behavior that poses a threat to the Chinese government. In the US, on the other hand, there is no single comprehensive law or regulation on the handling of personal data. Laws like NIST 800-171, Health Insurance Portability and Accountability Act (HIPAA), US Federal Trade Commission Act (FTC Act) and Gramm-Leach-Bliley Act (GLB Act) coupled with state regulations like the California’s Electronic Communications Privacy Act or New York’s General Business (GBS) Article 39-F and State Technology Law (STT) Article 2 form the core of self-regulatory framework that the industry complies with.

A good example of self-regulation is Privacy by Design (PbD), which is revolutionizing how digital services are created with privacy at its core.

In addition, the EU-US Data Exchange is governed by the EU-US Privacy Shield Framework. It is expected that NIST’s Cyber Security Framework (CSF) will play a major role in the evolution of a regulatory regime with regards to Data Privacy and Protection in the US and implicitly in the rest of the world. The biggest impact so far, however, in this space is created by EU’s General Data Protection Regulation known as GDPR which came in force on May 25th, 2018. Even though it was an EU centric law designed to harmonize data privacy laws across Europe while protecting and empowering all EU citizens data privacy but it had far-reaching implications affecting anyone not only doing business with EU members but even with EU subjects in other jurisdictions. Today it is arguably the single most impactful regulation affecting technology and non-technology businesses alike in the EU, the US and the rest of the world.

The challenge that businesses have is that they do not have to deal with one set of regulatory requirements or are subject to a static regime but have to deal with multiple complex, often contradictory and ever-evolving laws and regulations across multiple jurisdictions.

Impact of GDPR

EU’s GDPR which became effective on May 25th, 2018, sets strict rules for the legitimate usage of personal data, offers a stronger position to citizens to control their data and imposes high fines on data abuse, for which the data processor will be held responsible. Under GDPR, entities that breach regulation compliance can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious violations. These fines apply to breaches of many of the provisions of the GDPR, including failure to comply with the six general data quality principles or carrying out processing without satisfying a condition for processing personal data. There is a grade-level approach to penalties, a limited number of breaches fall into a lower tier and so are subject to fines of up to 2% of annual worldwide turnover or €10 Million; e.g. a company can be fined 2% for not having their records in order or not informing the management authority and data subject about an infringement or not conducting an impact appraisal. These rules apply to both controllers and processors–e.g. internet cloud servers will be included in the regulation enforcement.

Even though GDPR is an EU law, but applies to any EU or Non-EU domiciled business that handles personal data of EU residents. This is even applicable even if an EU citizen is residing in another Non-EU jurisdiction.

The rules cover almost anything that can be linked to an individual: addresses, credit card numbers, travel records, religion, web search history, computer ID codes, biometric data, and more. In the words of Facebook COO Sheryl Sandberg “The law will affect almost everyone [because businesses] all use data to improve their services.” Speaking of Facebook, had the Cambridge Analytica scandal where they mined millions of Facebook accounts without users’ knowledge and explicit consent, happened after May 25, 2018, Facebook may have been slapped penalties of more than $1.5 Billion (4% of Facebook’s global revenue) by the EU. Ernst & Young estimates the cost of GDPR compliance for the 500 of the world’s biggest corporations to be $7.8 Billion which includes deploying GDPR compliant software which controls data access and creates audit trails and to designate Data Protection Officer(s). More importantly, companies would have to significantly modify and change their data collection and handlings strategies. They must ensure and certify individual privacy and can only collect the minimum amount of data required to provide the service and cannot hold beyond the time period necessary to offer the service. They have to implement PbD in letter and spirit and that the constituents have the right to be forgotten. Businesses also have to ensure any data breach is reported to the regulators and in many cases to the affected individuals.

Dealing with Regulation and Compliance

As we can see that globally regulations are rapidly evolving putting businesses at risk of non-compliance and significantly increasing the cost of doing business. Many frameworks have been developed to help business leaders navigate through this regulatory maze. Gartner’s Data Security Governance Framework provides an approach to assess and govern the security and privacy requirements for data gathered. Gartner suggests four steps as follows:

1.      Identify and prioritize what data is impacted by data privacy and compliance requirements

2.      Develop data protection impact assessments and execute these periodically in close collaboration with business stakeholders

3.      Ensure technology controls are identified to mitigate risk to an acceptable level

4.      Frequently review the adequacy of the technology stack to reflect the business risk of the regulatory management program

Value of Regulation and Compliance

While many would argue that regulatory regimes are costly and a hindrance to progress, strong data protection is a critical enabler for the digital economy.

Customers are willing to share more data and transact digitally once they trust the system. Regulations like GDPR, in the long run, would boost digital business globally.

GDPR would enable businesses to do cross border digital transactions, optimize their data handling practices and technology and build strong digital capabilities, such as adopting sophisticated techniques for customer master data management and accelerate investment in emerging technologies like Blockchain and AI to evolve new optimal and compliant business models while at the same time protecting the INDIVIDUAL!!!

Summary of Referenced Laws, Regulations and Standards

ANL               Australia’s Notification Law which went into effect on February 22nd, 2018 stipulates that businesses with more than $3 million in annual revenue must notify the Australian Information Commissioner if they experience a breach.

APPI              Japan’s Act on the Protection of Personal Information became effective on May 2017 requiring that explicit consent from the data subjects be obtained.

CSF                 Cybersecurity Framework is a risk-based standard developed by NIST. The framework can serve as a foundation for organizations for future cybersecurity regulations. It requires organizations to assess and treat risk without the guidance of a compliance checklist, similar to GDPR.

CSL                Cybersecurity Law (China) has been in force since June 2017 and it regulates not only enterprise data security but online speech and behavior that poses a threat to the Chinese government.

DDL               Dubai Data Law – Published in 2015, DDL is a comprehensive Law addressing data policies, classification, compliance, and open data framework.

DPA                Dutch Data Protection Act – Dutch Data Protection Act enforced on January 1, 2017, in the Netherlands and precedes EU GDPR.

DPA                Data Protection Act (UK) was enacted by the British government in 1998 and updated in 2018 and controls how personal information issued by organizations, businesses or the government. Under DPA everyone responsible for using data has to follow strict rules called data protection principles. They must make sure the information is: Used fairly and lawfully; Used for limited, specifically stated purposes; Used in a way that is adequate, relevant and not excessive; Accurate; Kept for no longer than is absolutely necessary; Handled according to people’s data protection rights; Kept safe and secure; and Not transferred outside the European Economic Area without adequate protection. As GDPR is not directly applicable in Post Brexit UK, DPA was amended to include GDPR compliance and ensuring that UK businesses are made aware of penalties for non-compliance with GDPR.

DPA                Data Protection Act (Spain) was enacted in 1999 and protects individuals with regards to processing or personal data and the free movement of data. It required data controllers both public and private to register their data with the General Data Protection Registry maintained by the Data Protection Agency. This is one example of a jurisdiction where the compliance requirements will be reduced as the GRPR goes into effect across the EU.

EU DPD          EU Data Protection Directive (Directive 95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data was a European Union directive adopted in 1995 which has been superseded by GDPR.

FTC Act          US Federal Trade Commission Act is a federal consumer protection law that prohibits unfair or deceptive practices and has been applied to offline and online privacy and data security policies.

GLB Act         US Gramm-Leach-Bliley Act regulates the collection, use, and disclosure of financial information. It can apply broadly to financial institutions such as banks, securities firms, and insurance companies, and to other businesses that provide financial services and products. GLB limits the disclosure of non-public personal information, and in some cases requires financial institutions to provide notice of their privacy practices and an opportunity for data subjects to opt-out of having their information shared.

GDPR             General Data Protection Regulation – EU Regulation on Data Privacy and Protection approved by the EU Parliament in April 2016 and came into force on May 25th, 2018.

HIPAA            The US Health Insurance Portability and Accountability Act (HIPAA) regulates medical information. It applies to health care providers, data processors, pharmacies and other entities that come into contact with medical information. It includes standards for the Privacy of Individually Identifiable Health Information, Protection of Electronic Protected Health Information, Electronic Transactions as well as Security Breach Notification with regards to healthcare data.

NIST 800-171  is a special publication released by the National Institute of Standards and Technology aimed at protecting Controlled Unclassified Information in non-federal information systems and organizations.

OTT                Over The Top refers to services provided by content providers offering services like streaming media, online gaming messaging, telephony, targeted advertisements bypassing the underlying telecom infrastructure.

PbD                Privacy by Design is an internationally recognized framework where privacy should be embedded in the design, operation, and management of technology networks and infrastructure. It requires restricting the amount of data collected by applications and devices to the amount necessary to fulfill its purpose; encrypting data by default; de-identifying personal data; embedding menus of privacy settings and notices in user-friendly ways, and reducing data retention times.

PDPA              Personal Data Protection Act (PDPA) of Singapore was enacted in 2012 came into force with the formation of the Personal Data Protection Commission (PDPC) on January 2, 2013, it seeks to regulate the activities of an organization with regard to collecting, using or disclosing personal data, and it provides individuals.

PDPO              Personal Data (Privacy) Ordinance is om force in Hong Kong since 1996 and regulates the collection, use, and handling of personal data by data users.

Privacy Shield EU-US Privacy Shield Framework was established by the EU and US Department of Commerce, covering data protection and privacy practices to facilitate the Trans-Atlantic exchange of personal data for commercial purposes. Entities transferring sensitive data Trans-Atlantic must self-certify under Privacy Shield. It omits many GDPR requirements including the right to be forgotten.