Taming the many-headed monster of data privacy law

If you think data privacy law is a minefield, you’re not alone. At our last count, there were 120 jurisdictions around the globe, each with their own data privacy legislation. Each set of legislation is as complex and intricate as the next 

How are you supposed to tame this multi-headed monster? How on earth did we end up here? Let’s look at the current state of global data protection legislation, where it’s headed and what you can do about it. 

Data is like gold – and it’s attracting pirates 

Over 15 years ago, Clive Humby coined the phrase “data is the new oil”. He wasn’t wrong: what we’ve seen since is an absolute gold rush. The pile of gold is growing too: according to IDC, the global datasphere will hold 175 zettabytes of data by 2025. 

Personal data is arguably the most valuable and sought-after subset of this data. Its value and sheer volume make it incredibly attractive to cybercriminals, and equally appealing to unethical businesses that sometimes handle personal data carelessly.  

This has also led to a deal with the devil: businesses that provide free services simply to collect information from us, which they then sell to the highest bidder. 

Nonetheless, there is a price to pay 

Lost private information that leaks out can severely damage the victim, including harm to their reputation. In one famous (if extreme) example, Texas plumber Mark Oberholtzer, owner of Mark-1 plumbing, sold his Ford F250 in October 2013 with an agreement that the decals bearing his company name and logo would be removed before the dealer resold the truck.  

The long and the short: those decals were never removed, the truck ended up in the hands of Syrian jihadis and Mark-1 Plumbing’s logo, including its phone number, was all over war news reports. 

Mark's situation demonstrates the dire consequences of neglecting the protection of personal information. Despite the risks, the hunger for quality data that companies can slice, dice and sell continues to grow, often leading to carelessness and costly fines for those who are negligent. Recall how Facebook paid a $5 billion fine for the 87 million records harvested by Cambridge Analytica. 

Consumer mistrust means action on data protection 

Given that vast quantities of data can go missing in a single sweep, it’s not surprising that consumers steadily became distrustful and demanded action. This has led to a patchwork of steps from major technology brands. For example, in 2021, Apple’s iOS added a range of privacy features, which gave users more control over app tracking. 

The actions from Apple alone reportedly cost major social media platforms a staggering $10 billion in lost revenue in a single year. This was a clear shot across the bow, signaling that the power dynamic was beginning to shift. 

But relying on a few well-intentioned vendors to protect data privacy won’t cut it – and with the data protection writing on the wall, governments have taken notice. 

The current data protection landscape 

Complex and tough to deal with, yes, but the 120-odd sets of data privacy laws we referenced earlier are an initial response to public demand for greater transparency and accountability in how their data is used. The message is clear: consumers won't tolerate the status quo, and change is coming whether businesses are ready or not. 

Data protection law falls into two broad categories. One set of laws focuses on specific sectors, such as healthcare data or financial data (think about HIPAA and PCI-DSS, respectively). Another set of laws are essentially omnibus, with broad applicability (the EU’s General Data Protection Regulation (GDPR) would be an example).

It is a fragmented state of affairs, with a mix of sectoral laws and omnibus laws from the supra-national (EU) down to the state level. California alone has 25 sets of data protection laws to contend with. 

The EU sets the trend – but the US takes a different route 

Arguably the biggest splash in terms of the data privacy landscape is the European Union's GDPR law. Introduced in 2018, it is a robust data privacy framework – and still one of the most encompassing frameworks anywhere in the world. Legislation published after GDPR often mirrors GDPR’s core principles of notice, choice, and security. 

It’s worth noting that, unlike many other countries, the United States has no single overarching data privacy law. Instead, there's a patchwork of federal laws targeting specific industries (HIPAA for healthcare, FCRA for credit reporting, COPPA children's online data, etc.). 

The US therefore has 20 industry-specific laws and about 100 state-level laws. This means that even if your organization does not have international clients, it’s still facing a patchwork of laws if any of its clients are out of state. 

What new data privacy legislation is coming? 

The volume of legislation certainly isn’t decreasing, that’s for sure – and part of the heartache is helping organizations to adapt to this rapidly changing landscape. 

EU-US Data Privacy Framework 

One of the main difficulties many businesses experience is handling the flow of data between the EU and the US, particularly given the scope of GDPR. It’s led to years of legal uncertainty and the EU-US Data Privacy Framework (DPF) aims to change that.  

The DPF comes after both the Safe Harbor Framework and Privacy Shield were invalidated by European courts – with the DPF promising a more robust legal mechanism. 

It focuses on core privacy principles like notice, choice, security, and accountability. Companies must provide transparency about their data practices, give users options for opting out, and implement strong safeguards. 

However, it’s taking time to get the DPF approved – and there’s no date yet for implementation. It’s nonetheless worthwhile to keep an eye on its progress. 

More EU data protection trendsetting 

With GDPR settling in, the EU is moving forward with further steps. The EU Data Act is a 2022 EU proposal that intends to make data sharing and use easier by setting standards at an EU-wide level rather than at the level of individual EU member states. 

The EU Data Act focuses on cloud devices and service providers and builds on top of GDPR – while aiming to learn from mistakes made. The scope of the Data Act is also beyond personal data to deal with all data. One of the aims includes obliging businesses to open their data to the users that help to create it – including through allowing users to provide this data to third parties.  

The world’s first regulation on the use of AI is also on the way, with the proposed EU Artificial Intelligence Act. The proposed legislation uses a risk classification system that applies different degrees of legislation depending on the risk.  

At the minimal-risk end of the spectrum, scenarios such as AI applied to e.g. spam filters, or AI in video games would be subject to very limited regulation. In turn, at the high-risk end of the spectrum, the law covers autonomous vehicles, medical devices, and credit scoring – where rigorous testing, documentation and human oversight would apply. 

Challenge of the multi-headed Hydra 

A fearless serpent with many regenerating heads, the mythological Hydra, is a good metaphor for the challenge businesses face trying to stay ahead of data compliance law. Just as you think you've gotten a handle on one jurisdiction's laws, new ones emerge, or existing ones expand in scope. 

The headache isn’t just for large multinational corporations (that presumably have large legal departments), it affects businesses of every size. Have employees, customers or even just a website accessible in a given region? Chances are you’re subject to the corresponding data privacy laws. 

Slaying the regulations 

Your first step is to obtain legal counsel specializing in privacy law, which is essential. Much of your approach will come down to what’s practical and accepted to do, as well as what minimizes your risk exposure. Legal experts ensure your compliance efforts are effective, not just symbolic. 

Take a strategic approach to targeting the most impactful parts of legislation, just like targeting the hydra’s immortal head. Regulations vary but they do share common principles – and focusing on the most restrictive overlapping laws is essentially targeting the Hydra's 'immortal head'. It’s an approach where you will most likely end up compliant with many of the requirements of less stringent regulations as well. 

Three elements to get data protection right 

Going for the jugular – and a multi-pronged approach for the rest. Strength, insight and cooperation will get your organization in a place where it can slay burgeoning data privacy regulation. 

For a start, a strong approach means "reasonable and appropriate" security measures – from technical safeguards (such as encryption and access controls) to strong policies and procedures. 

Insight also matters and means regularly assessing the compliance landscape, as well as your data landscape. In other words, understand what data your organization stores and how it is used.  

But it’s also a matter of teamwork, and if there’s one thing that’s become clear, it’s that data privacy can’t be just the IT department’s problem. It requires a cross-functional team involving legal, HR and key business stakeholders. 

A toolset to slay legislation 

The fight for data privacy is never truly over. New threats and new regulations will continue to emerge – and the requirements are likely to become more extensive.  

Meeting these compliance obligations needs to be integral to organizational culture. And the time to act is now. Assess your data privacy posture and ensure you have the strength, insight and teamwork required to face the regulatory Hydra head-on. 

But your toolset also matters – it’s a superhuman ask, after all. One of the key tools in your arsenal is identity management, which keeps outsiders outside. Think of a Unified Identity Security Platform as your modern-day sword and shield. It brings strength (through identity governance and administration as well as privileged access management), insight (knowing who has access to what, and why) and enables teamwork by connecting your entire identity security ecosystem. One Identity’s Identity Governance and Administration capabilities empower you to slay the many-headed Hydra of data privacy regulations, safeguarding both your data and your reputation. 

Related Content