Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

3/29/2017
03:30 PM
Dimitri Sirota
Dimitri Sirota
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Privacy Babel: Making Sense of Global Privacy Regulations

Countries around the world are making their own privacy laws. How can a global company possibly keep up?

In the world of data privacy, the European Union General Data Protection Regulation (EU GDPR) has grabbed most of the headlines. But although the EU GDPR is a landmark piece of legislation and affects all companies that store or process data on EU citizens, it's by no means the only one that global organizations must now navigate.

Globally, some 65 countries have either passed new privacy legislation in the last year or have legislation pending,   including China and Brazil. The impetus for the growing emphasis on data privacy and protection is consumers' widespread unease about the impact of digital business on the privacy of their data,   compounded by ongoing breaches to extract personal data. Regulators and legislators across the globe are intensifying efforts to spell out requirements for collecting, storing, processing, and sharing consumer and customer data.

The specifics of privacy legislation — whether in terms of consumer rights such as the "right to be forgotten," data retention requirements, or the need for data privacy officers  —  vary widely by jurisdiction, along with the ability to actually enforce the legislation or regulations and impose penalties. Although the severity of fines and penalties varies from country to country, penalties have grown in size, and regulators have become more comfortable using them.

In this context, the EU GDPR heralds the most significant change for data privacy in the digital era, but not only because of the technical requirements or even the stipulation for data protection officers under certain circumstances. Instead, it's the magnitude of the penalties for violations and the expressed willingness of regulators to impose a fine of up to 4% of a company’s worldwide revenue that is grabbing business attention.

In tandem with more explicit requirements on their responsibility across jurisdictions, organizations must also conform to the expanding definition of what constitutes personal data —  whether biometric data in the case of the EU GDPR or MAC addresses or cookie IDs in the case of new privacy regulations proposed by the Federal Communications Commission in the US.

In its recent enforcement decisions, Singapore's Personal Data Protection Commission has argued that context matters: violations of personal data protection requirements when the data is "of a sensitive financial nature" is more likely to draw fines. For companies looking to comply with new privacy regulations, it will therefore increasingly be expected that they can find any personal data accurately across an extended enterprise.

Certainly, many regulations and requirements will more closely resemble the GDPR's provisions as they near approval and the governing principles will become a point of comparison. However, it's important to understand that differences in approach will persist. For instance, the EU's GDPR takes a comprehensive stance across a regional block. In contrast, the US is more of a patchwork, made up of state regulations and federal regulations that are often industry specific. A clear example of this is the current battle between the FCC and Federal Trade Commission on who gets to define digital privacy for carriers.

However, the extent to which the requirements are spelled out shows a wide divergence. For instance, even in the context of the GDPR, the requirement for having a data protection officer is only mandatory when the organization is a public authority and engages in large-scale systematic monitoring or large-scale processing of sensitive personal data. Under Singapore's Personal Data Protection Act, it's up to the organization to decide whether it should appoint a full-time data protection officer or have the function subsumed under another responsibility.

So, how does a multinational company manage differing definitions of personally identifiable information and different requirements around subject access, notification windows, and processing traceability?

The first step is the most obvious one: mapping business operations to data privacy jurisdictions. And it's important to understand the underlying principles that frame the legislation: whether comprehensive, specific to an industry sector, or defined in collaboration with industry.

However, the foundation of protecting the privacy of personal data relies on consistent application of privacy policies and, more importantly, accurate intelligence on the data that is being protected. All regulatory requirements share the need to know what data you're storing, who that data belongs to, where that data is located, who is accessing that data, what consent has been approved around that data, and where that data is being used. Without that foundational knowledge, it's impossible to accurately determine whether an organization is compliant with a specific regulation. It's also impossible to govern that data. No intelligence, no control. And without control, the risk of penalties and breaches grows.

Related Content:

Dimitri Sirota is a 10+ year privacy expert and identity veteran. He is CEO and cofounder of data protection and privacy software company BigID. Prior to starting BigID, Dimitri founded two enterprise software companies focused on security (eTunnels) and API management (Layer ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/29/2017 | 8:44:58 PM
4%
> the expressed willingness of regulators to impose a fine of up to 4% of a company's worldwide revenue that is grabbing business attention.

Of course, saying one thing and actually doing it are two completely different things.  (I also strongly suspect that the EU will be harsher to US companies than European companies -- or possibly even other non-European countries.)

Take VW, for instance, and the regulatory scandal that emerged when it was discovered that VW had been misrepresenting facts about its diesel vehicles.  The amount the US government could have fined VW at maximum would almost certainly have bankrupted and destroyed VW.  That, of course, did not happen.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30477
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
CVE-2021-30478
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
CVE-2021-30479
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
CVE-2021-30487
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
CVE-2020-36288
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...