Preparing for Upcoming Data Privacy Regulations

The global privacy landscape has changed drastically since the EU General Data Protection Regulation (GDPR) became law in 2018.¹ Prior to the GDPR, the only similar significant laws were the US Health Insurance Portability and Accountability Act (HIPAA),² which protects patient health information, and the Payment Card Industry Data Security Standard (PCI-DSS),³ which is a standard for protecting credit card information. Since the GDPR, several key data privacy laws, such as Brazil’s General Personal Data Protection Law (LGPD)⁴ the US State of California Consumer Privacy Act (CCPA),⁵ China’s Personal Data Protection Law (PDPL)⁶ the New Zealand Privacy Act,⁷ Serbia’s Data Protection Law⁸ and Thailand’s Personal Data Protection Act (PDPA),⁹ have been enacted. Most of these laws are modelled on GDPR and, thus, it seems GDPR can be labelled as the forebearer of all recent data privacy laws. The expansion of data privacy regulations has been delayed in 2020 and 2021 due to the COVID-19 pandemic, but there are several regulations, such as India’s Personal Data Protection (PDP) bill, that are expected to be announced soon.

With so many different countries introducing data privacy regulations, how does an organization make sure it is prepared to comply with every new regulation with which it must comply? The problem is compounded when an organization operates globally with customers all over the world, which introduces the element of cross-border data transfers, adding another complication to this conundrum. The best path for an organization is to implement a strong data privacy foundation with processes and tools that are scalable to adopt new regulations. Although it is impossible to predict what controls will need to be in place to comply with future laws, organizations need to assess themselves by using data privacy parameters and prepare for upcoming privacy regulations.

The best path for an organization is to implement a strong data privacy foundation with processes and tools that are scalable to adopt new regulations.

Personal Data and the Related Attributes

The attributes of personal data can be examined by answering some basic, yet specific, questions:

• What personal data does the organization have? Enterprises need to ascertain the types of personal data they have. It could be personally identifiable information (PII), such as names, phone numbers, email addresses or physical addresses, or it could be sensitive personal information (SPI), such as banking information, government identification (ID) numbers or health data. The definitions of PII and SPI vary from country to country, which organizations must consider. A data inventory is essential to prepare for complying with existing and new data privacy regulations.
• Whose data do the organizations have? This addresses the location of data subjects. Since data privacy regulations are specific to each country and territorial scope is key to identifying applicability of the regulation, it is critical to know the geographic location in which the people whose personal data are being accessed are located. As an example, GDPR applies to people who are geographically located in the European Union at the time that their personal data are processed.
• Where are the personal data? A critical component of the data flow is to identify where the PII/SPI are stored in an organization (i.e., the databases, servers, cloud, backup media, mail servers, websites). Implementation of controls is easier when the data repositories are known.
• Who has access to the personal data? Is it only the employees of the organization or are there partners, suppliers, vendors and other third parties who also have access to the personal data? Data protection techniques such as access controls, data transmission, nondisclosure agreements (NDAs) and auditing guidelines differ if the data are accessed by third parties.

Controller or Processor

Organizations must understand whether they are processors or controllers of data, or both. The data controller determines the purposes for and the means by which personal data are processed, whereas the data processor processes personal data only on behalf of the controller. Identifying its role relative to the data is one of the most basic questions that an organization must ask itself. It is possible that an organization is both a controller and a processor for different sets of data. The handling of data, security controls and cross-border transfers varies depending on whether an organization is a controller or processor. Typically, the more stringent penalties and requirements apply to the controller, but the processor also has several legal obligations.

Applicable Data Privacy Regulations

Organizations that access PII have an immediate need to determine which data privacy regulations are currently applicable to their activities. If PII is processed in Brazil or goods or services are offered to individuals located in Brazil, then LGPD applies; if Serbian personal data are processed, then the Serbian Data Protection Law will apply. Most privacy regulations include heavy penalties for violations. This coupled with the potential brand impact of noncompliance causes organizations to focus on ensuring that they are complying with the regulations. Most of the active data privacy regulations become applicable if the following conditions are in place:

1. Processing is performed by a controller or a processor established in a particular geographical area/country, regardless of whether or not the processing takes place in that area/country.
2. Processing is performed by a controller or a processor not established in a particular area/country where the processing relates to:

• • The offering of goods or services to a data subject in that geographical area, irrespective of whether a payment is required for these goods or services
  • The monitoring of activities/behaviors of data subjects as far as those activities/behaviors take place in a particular geographical location

Basic assessments and data flow diagrams can be used to identify applicable regulations, but they need to contain the appropriate questions. Some examples of suitable questions to use in assessments are:

• What is the location of the data subjects whose personal data are being processed?
• Where is the data processor located?
• Where is the data controller located?
• Is the organization offering any goods and services to people located in a particular geography or location?

Data Incident Management Process

This is one of the critical processes that needs to be in place in an organization that is handling personal data. All incidents and breaches should be handled via a structured security incident management process that focuses on incident identification, notification, investigation, resolution, recovery and closure. This process has become even more important since GDPR announced fines for data breaches. The maximum amount for a fine is EUR€20 million or 4% of annual worldwide turnover (whichever is greater) or an amount of EUR€10 million or 2% of annual worldwide turnover (whichever is greater).

Security Awareness

A security awareness program is a formal/structured program to train employees on how to avoid situations that might put the organization's data at risk of a security breach. Its goal is also to increase awareness of the security practices that an organization follows. The program should cover new and long-term employees and should be reinforced regularly. A good industry practice is to include vendor or third-party resources in the awareness program.

Cross-Border Transfers

Cross-border transfers refer to the movement or transfer of information between servers across country borders. When an organization processes personal information, a key consideration is if the data travel outside the country’s boundaries. The European Union has defined a list of adequate countries to which personal data can flow from the European Union without any further safeguard being necessary.¹⁰ For transferring data to countries that are not included in the list of adequate countries, there are several approved data transfer mechanisms such as standard contractual clauses (SCC).¹¹

Baseline Security Controls

Most regulations stress the implementation of technical and organizational measures (TOMs) to safeguard personal data, so if an organization already has in place strong technical controls, such as encryption, anonymization, access controls, vulnerability management, endpoint detection, intrusion prevention, patch management and security awareness, it will be easier for the organization to ensure that TOMs are in place for most of the upcoming regulations. It is helpful that data privacy laws are usually high-level and not prescriptive in the security measures needed to comply with the law.

Industry Certifications

Industry certifications such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO-IEC 27001, ISO/IEC 27701 and the Payment Card Industry Data Security Standard (PCI DSS) are good ways to get independent validation of the controls the organization has implemented to safeguard data and protect data from breaches. These certifications also serve as a form of assurance to customers that the organization is serious about security and data privacy.

Data Privacy Agreements

These are typically legally binding contracts between the controller and the processor detailing the scope and nature of the data being processed. They are also needed between a processor and a subprocessor and are the vehicle for flowing down controller requirements to the subprocessor. Some regulations, such as GDPR, LGPD and LPDP, mandate the use of such agreements. 

Conclusion

Consideration of the data privacy factors discussed herein will go a long way in preparing an organization for any upcoming regulations. However, it should be noted that many data privacy regulations have specific requirements and those need to be addressed separately.

Author’s Note

The views and opinions expressed in this article are the author’s and do not reflect any official position, policy or view of the author’s employer.

Endnotes

¹ GDPR.eu, “Complete Guide to GDPR Compliance
² US Department of Health and Human Services, “Health Information Privacy”
³ U Payment Card Industry (PCI) Security Standards Council, “Securing the Future of Payments Together”
⁴ U Presidency of the Republic, General Law for the Protection of Personal Data (LGPD), Law No. 13.709, Brazil, 14 August 2018
⁵ U US State of California Department of Justice, “California Consumer Privacy Act (CCPA)”
⁶ Hu, Y.; “China’s Personal Information Protection Law and Its Global Impact,” The Diplomat, 31 August 2021
⁷ New Zealand Parliamentary Counsel Office, Privacy Act 2020, New Zealand, 8 October 2021
⁸ Commissioner for Information of Public Importance and Personal Data Protection, Law on Personal Data Protection, Serbia
⁹ PricewaterhouseCoopers, “Thailand’s Personal Data Protection Act (PDPA): Are Companies in Thailand Ready?”
¹⁰ European Commission, “Adequacy Decisions
¹¹ European Commission, “Standard Contractual Clauses (SCC)”

Nivedita Malhotra, CISA, CRISC, CISM, CIPM, CIPP(E), ISO 27001 LI, PCI, PMP

Has more than 2 decades of experience in leading security, privacy and technology teams to deliver security and privacy services to internal and external clients. Malhotra has a strong record of creating robust security, privacy and compliance programs to secure the information assets of an organization. She has worked with IBM for the last 18 years. She has also worked for Artech Information Systems (USA) and The Times Group of India.