Data protection laws aren't new, but enforcement has changed significantly
Imagine you are driving a sports car on a wide highway. There are no speed limit signs. No pedestrian signs. No traffic signals. No police enforcement. Without any regulation or enforcement, the road fatality rate would be high, a major public safety concern.
What if we apply this analogy for data collection, use, and processing in the 21st century? Without the right laws and enforcement there is going to be carnage (e.g., unreported data breaches, privacy invasions, government abuse, data loss, etc.).
Countries and economic areas worldwide are adopting or enhancing data protection and privacy regulations faster than ever before. The driving factor is primarily consumer protection, but additionally, trade economics.
Multinational businesses need to trade over geographic boundaries and governments develop legal mechanisms to enable personal data exchange for import and export needs. As we recall, US Safe Harbor was invalidated by the EU Court of Justice in post-Snowden disclosures and a new framework (Privacy Shield) was developed. This was key to ensure continued trade between the US and EU.
Data protection laws are not new. The first national data protection law was passed in Sweden (Data Act 1973), over 45 years ago. Since then, most of the significant developments have been in Europe and the US, although regulatory strategies differ. For example, the US has sector-driven regulation with different laws in finance, healthcare, defense, etc., while Europe is horizontally focused; EU protections are similarly irrelevant in the sector.
Why is there so much attention paid to data regulation now? Prior to the passage of EU’s General Data Protection Regulation (GDPR), data protection may have been a footnote in the regulatory universe, however, enforcement has changed significantly. GDPR fines are now up to 4 percent of worldwide revenue. That provides a strong incentive not to get in the crosshairs of regulators. The Asia-Pacific region is in some cases is taking an even stronger stance on law enforcement imposing jail time in penalties for data protection laws in Hong Kong and Singapore.
The regulatory threat of large penalties for compliance lapses is driving significant investment. Regulation is the catalyst for a large number of backlogged projects within companies that are currently being funded. Improving everything from hiring qualified personnel and consultants, to revising policies, updating training and software, as well as security technology deployments.
The incentive is strong enough to ensure that data is protected. For example, in many regions where data breach notification is required, if regulated data is unintentionally stolen or compromised, there is a requirement to notify the regulator and the victims of the breach. Depending on the situation, this will include brand damage, fines, consumer credit monitoring, legal and forensic services, etc. In the largest reported breaches, with millions of personal records, total costs have neared 300 Million dollars (e.g., Equifax and Target)
Data protection provisions are also widening. For example, the recently passed California Consumer Privacy Act of 2018 includes new provisions for consumers to be able to access the data a company has about them and make requests for data deletion (depending on the nature of the service).
Economies are transitioning to the service sector and the services delivered are more data dependent. If consumers decide they don’t trust these services and delete their personal information from the service provider, with new rights they inherit from regulations, it will significantly weaken the service providers’ strategic advantage. Data regulation helps arm modern economies from this by setting minimum security and privacy standards that companies have to adhere to. This limits company abuses such as selling user data without users’ permission.
Although there is significantly more talk about privacy, the core enabling technologies are security focused. Areas such as encryption, access control, secure software development are the building blocks that continue to construct the core capabilities and regulatory needs.
Companies generally get in trouble when no one is paying attention to the signs on the highway.