It is vital to keep abreast of developments in the myriad data protection and privacy requirements which apply to your organization, along with the best practices from data security laws and frameworks. With how fast the industry moves, we know this can feel like a full-time job.
To assist with your compliance and future-proofing needs, here is our roundup of recent and forthcoming data protection changes in large jurisdictions and globally—along with the data security frameworks leading organizations are following to protect themselves and their clients.
Last updated: January 2022
Now approaching its third anniversary, the EU’s General Data Protection Regulation continues to exert global influence as the “gold standard” legislation and enforcement actions—often in the hundreds of millions of euros—are accelerating.
National European regulators are looking at smaller players’ practices too, and at this stage there is little excuse for not having the essentials in place. By now, organizations should have full Records of Processing Activity and have identified and remediated risks in key areas like establishing the lawful bases of their personal data processing, security measures, data processing agreements with third-parties, and international transfers.
The 2020 invalidation of the US Privacy Shield has induced a scramble to implement the European Commission’s updated Standard Contractual Clauses and continue to more closely monitor cross-border transfers.
The EU’s GDPR implementation remained virtually the same in post-Brexit Britain, but this could soon change following a new UK regulator and a governmental drive to build upon—or potentially undo—European rules in a bid for greater global competitiveness.
We now await the results of a consultation on proposals aimed at creating “an even better data protection regime.” However, the UK authorities will be aware that diverging significantly from the EU may jeopardize its adequacy status and make data transfers from the EU far more challenging going forward.
California Consumer Privacy Act and California Privacy Rights Act
California was the first US state to pass comprehensive data privacy legislation. The CCPA went into effect at the start of 2020 and its regulations in August the same year. The CPRA, an amending ballot measure which enhanced privacy protections for consumers, passed in November 2020 and will enter into force at the beginning of 2023—albeit retroactive to January 2022.
CCPA/CPRA mandates are to similar data processing principles as GDPR, such as data minimization and accountability for ensuring contracted third-party relationships. However, the legislation is far more orientated towards enforcement, where inadequate security measures contribute to consumer harms from data breaches. Compensation provisions mean class actions for such failings are increasingly commonplace.
Virginia Consumer Data Protection Act
Virginia’s CPDA was signed into law in March 2021 and will come into force at the start of 2023. It is very much aligned with EU GDPR in key areas, such as ensuring consumers’ right to access, correct, delete, and obtain a copy of their personal data. It also ensures customers can opt out of certain data processing activities and makes sensitive data processing opt-in only.
The CPDA’s accountability strictures are also very European in flavor, requiring the implementation of robust data protection policies, prompt engagement with Data Subject Requests, the flow-down of regulatory responsibilities to processors and sub-processors via contractual measures, and that Data Protection Impact Assessments (DPIAs) are carried out in certain circumstances.
Colorado Privacy Act
The Colorado Privacy Act was signed into law in July 2021 and will enter into effect in July 2023. Like Virginia’s CPDA it contains extensive opt-out provisions for consumers covering targeted advertising, profiling and the sale of personal data, and is very GDPR-like in its requirements for transparency (notification); properly contracted-for relationships with third parties; the observance of data subjects’ rights, and the need for DPIAs for certain activities.
Although the Colorado Privacy Act does not apply in commercial or employment contexts, it differs from other state privacy legislation by not exempting non-profit organizations.
Other US state regulations
In the absence of federal-level legislation, state-level momentum for comprehensive privacy bills is at an all-time high, and numerous data protection regulations have been proposed in recent times.
Massachusetts, Minnesota, North Carolina and Pennsylvania have active bills currently and new laws could soon pass in Florida, Illinois, New York, Oklahoma, and Washington.
Global Privacy and Data Protection Regulations
Currently, 69% of the world’s countries (128 out of 194) have some form of legislation in place to secure data protection and individuals’ privacy, with a further 10% having draft laws in motion.
Notable recent additions include Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados or ‘LGPD’), which came into effect in August 2021 and China’s Personal Information Protection Law, which entered into force in Nov 2021. China, like the EU and other jurisdictions, has also implemented complementary legislation in the form of its September 2021 Data Security Law and 2017 Cybersecurity Law to form a comprehensive framework for the protection of personal data.
Data protection and security is commonly also governed by legislation aimed at particular sectors and which present high risks to individuals’ privacy, such as healthcare and financial activities. This is particularly the case in the US, where hundreds of laws at the federal, state, and sector level must be observed (the Federal Trade Commission has wide-ranging oversight, for instance).
Compliance with the US Health Insurance Portability and Accountability Act of 1996 is becoming increasingly challenging as technological advances and the proliferation of data custodians complicates the data lifecycle. Accurate mapping and documentation of data flows, cataloging and auditing associate organizations, and carrying out comprehensive risk assessments are vital when dealing with this particularly sensitive type of data. It is also essential that organizations implement robust technical safeguards such as access controls and encryption.
More recently, advances in genetics and the potential for the abuse of this data prompted the 2008 Genetic Information Nondiscrimination Act (GINA), which prohibits the use of genetic information in health insurance and employment contexts.
The US has also implemented several laws to protect individuals as they go about their financial business and, although these may be several decades old now, they continue to be highly relevant and stringent in their requirements.
The 2002 Sarbanes-Oxley Act requires financial security protocols which protect both companies and their customers from data theft by insider threats or cyberattacks; while the Gramm-Leach-Bliley Act includes data privacy and security requirements to protect personal information acquired through the provision of financial products or services.
More broadly is the global Payment Card Industry Data Security Standard (PCI-DSS), which affects many fintechs which have been born all around the world in recent years (unless they process credit card information via third parties).
Under PCI-DSS, mapping payment card data flows accurately and robust contract assurances with third parties are vital, as is ensuring the application of appropriate security measures, like encryption and access controls. As elsewhere, growing complexity in the data lifecycle is making tracking data flows an increasing challenge.
Information Security Frameworks
In the US, the National Institute of Standards and Technology provides a commonly used cybersecurity standard, as well as a simplified version popular with smaller or early-stage enterprises (the NIST Cybersecurity Framework Version 1.1.). NIST requires the cataloging of systems and data assets in a risk register under CIA (confidentiality, integrity, and availability) risks and their potential impact level; and then the definition, implementation, and monitoring of security controls to mitigate those risks.
While data protection regulation like GDPR call for appropriate technical and organizational measures to mitigate risks to personal data, the NIST framework is more stringent in requiring that these implementations actually work in the specific organization’s context.
ISO 27001 is an international standard for information security and risk assessment which lays out the specification for a robust Information Security Management System. It is particularly prevalent in Europe, and national frameworks—like France’s EBIOS—tend to be tightly aligned to it.
Although the risk assessment and mitigation framework of ISO 27001 is similar to that of NIST, the risk scoring methodologies of the two differ.
SOC 2 is a security certification developed by the Association of International Certified Professional Accountants, which amounts to an auditing procedure ensuring service providers securely manage data for the protection of both their contracting organizations and clients.
Increasingly, data controllers (organizations collecting personal data) consider SOC 2 certification to be a minimum requirement when weighing up SaaS providers.
Mozilla Rapid Risk Assessment or Rapid Risk Analysis (RRA) is a high-level framework intended to help organizations understand the data processed, stored or accessible by services—and from that the value and impact of a service to their reputation, productivity or profitability in light of any threats.
The Mozilla RRA process (which is only intended to take 30-60 minutes) depends upon readily accessible information. Services and data inventories and easy owner identification are key.
OWASP Threat Modelling
The mission of the Open Web Application Security Project (OWASP) Foundation is to enhance software security through open-source projects and is thus community-led.
Through its proactive modelling of technical risks, OWASP Threat Modelling stands at the SecOps nexus which is increasingly bringing IT security and operations teams together in close collaboration. This framework is notable for its deep dive into tech architecture, rather than more superficial risk assessment.