Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

3/29/2017
03:30 PM
Dimitri Sirota
Dimitri Sirota
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Privacy Babel: Making Sense of Global Privacy Regulations

Countries around the world are making their own privacy laws. How can a global company possibly keep up?

In the world of data privacy, the European Union General Data Protection Regulation (EU GDPR) has grabbed most of the headlines. But although the EU GDPR is a landmark piece of legislation and affects all companies that store or process data on EU citizens, it's by no means the only one that global organizations must now navigate.

Globally, some 65 countries have either passed new privacy legislation in the last year or have legislation pending,   including China and Brazil. The impetus for the growing emphasis on data privacy and protection is consumers' widespread unease about the impact of digital business on the privacy of their data,   compounded by ongoing breaches to extract personal data. Regulators and legislators across the globe are intensifying efforts to spell out requirements for collecting, storing, processing, and sharing consumer and customer data.

The specifics of privacy legislation — whether in terms of consumer rights such as the "right to be forgotten," data retention requirements, or the need for data privacy officers  —  vary widely by jurisdiction, along with the ability to actually enforce the legislation or regulations and impose penalties. Although the severity of fines and penalties varies from country to country, penalties have grown in size, and regulators have become more comfortable using them.

In this context, the EU GDPR heralds the most significant change for data privacy in the digital era, but not only because of the technical requirements or even the stipulation for data protection officers under certain circumstances. Instead, it's the magnitude of the penalties for violations and the expressed willingness of regulators to impose a fine of up to 4% of a company’s worldwide revenue that is grabbing business attention.

In tandem with more explicit requirements on their responsibility across jurisdictions, organizations must also conform to the expanding definition of what constitutes personal data —  whether biometric data in the case of the EU GDPR or MAC addresses or cookie IDs in the case of new privacy regulations proposed by the Federal Communications Commission in the US.

In its recent enforcement decisions, Singapore's Personal Data Protection Commission has argued that context matters: violations of personal data protection requirements when the data is "of a sensitive financial nature" is more likely to draw fines. For companies looking to comply with new privacy regulations, it will therefore increasingly be expected that they can find any personal data accurately across an extended enterprise.

Certainly, many regulations and requirements will more closely resemble the GDPR's provisions as they near approval and the governing principles will become a point of comparison. However, it's important to understand that differences in approach will persist. For instance, the EU's GDPR takes a comprehensive stance across a regional block. In contrast, the US is more of a patchwork, made up of state regulations and federal regulations that are often industry specific. A clear example of this is the current battle between the FCC and Federal Trade Commission on who gets to define digital privacy for carriers.

However, the extent to which the requirements are spelled out shows a wide divergence. For instance, even in the context of the GDPR, the requirement for having a data protection officer is only mandatory when the organization is a public authority and engages in large-scale systematic monitoring or large-scale processing of sensitive personal data. Under Singapore's Personal Data Protection Act, it's up to the organization to decide whether it should appoint a full-time data protection officer or have the function subsumed under another responsibility.

So, how does a multinational company manage differing definitions of personally identifiable information and different requirements around subject access, notification windows, and processing traceability?

The first step is the most obvious one: mapping business operations to data privacy jurisdictions. And it's important to understand the underlying principles that frame the legislation: whether comprehensive, specific to an industry sector, or defined in collaboration with industry.

However, the foundation of protecting the privacy of personal data relies on consistent application of privacy policies and, more importantly, accurate intelligence on the data that is being protected. All regulatory requirements share the need to know what data you're storing, who that data belongs to, where that data is located, who is accessing that data, what consent has been approved around that data, and where that data is being used. Without that foundational knowledge, it's impossible to accurately determine whether an organization is compliant with a specific regulation. It's also impossible to govern that data. No intelligence, no control. And without control, the risk of penalties and breaches grows.

Related Content:

Dimitri Sirota is a 10+ year privacy expert and identity veteran. He is CEO and cofounder of data protection and privacy software company BigID. Prior to starting BigID, Dimitri founded two enterprise software companies focused on security (eTunnels) and API management (Layer ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/29/2017 | 8:44:58 PM
4%
> the expressed willingness of regulators to impose a fine of up to 4% of a company's worldwide revenue that is grabbing business attention.

Of course, saying one thing and actually doing it are two completely different things.  (I also strongly suspect that the EU will be harsher to US companies than European companies -- or possibly even other non-European countries.)

Take VW, for instance, and the regulatory scandal that emerged when it was discovered that VW had been misrepresenting facts about its diesel vehicles.  The amount the US government could have fined VW at maximum would almost certainly have bankrupted and destroyed VW.  That, of course, did not happen.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...