Accountability is a foreign concept in most global political arenas, but it does hold a bit more weight when assigned to global corporations. Four years ago, last month, May 28, 2018, the European Union changed the face of information privacy and rewrote the meaning of organizational security and information risk with the passage of the General Data Protection Regulation. GDPR is a regulation in EU law regarding data protection and privacy in the European Union and the European Economic Area. The GDPR is a vital component of EU privacy law and of human rights law.
In the U.S., however, one state, California, did mirror the EU with a privacy law of its own. The California Consumer Privacy Act (CCPA) is a state privacy law that was signed by Governor Jerry Brown on June 28, 2018 and became effective on January 1, 2020. It grants consumers rights with respect to their personal information that is collected by businesses and requires businesses to be transparent regarding how they use personal consumer data. On March 2, 2021, Virginia passed its Consumer Data Protection Act (“CDPA”), the second comprehensive consumer data privacy law in the United States. The CDPA will go into effect on January 1, 2023. The CDPA applies to persons or entities that conduct business in Virginia or produce products or services offered to Virginia residents and that “control or process” personal data. The states of Washington and New York are also looking for fast-track similar privacy legislation.
But as global political and social issues tug at the political fabric of information privacy not just in the EU, data privacy experts are worried that evolving cyber threats might undo some of what GDPR has accomplished.
“Now four years into the launch of GDPR, organizations must act to replicate their data across data centers in different countries and secure their encryption keys. While it is clear that the regulation has been fairly effective in keeping data within European borders thus far, other external influences such as international conflict and cyber criminals becoming more sophisticated are now throwing GDPR, and data privacy in general, through another loop,” says David Friend, co-founder and CEO, Wasabi Technologies. “No one knows what the geopolitical atmosphere will be like or how cybercrime will have evolved in, say, five years, and organizations do not want to end up in a situation where their data access is cut off due to war ransomware, or other cyber threats. Therefore, effective data replication and encryption practices are more critical than ever.”
Adds Robert Former, CISO and VP of Security at Acquia: “GDPR forced the world to think about privacy in technology and how to build future technology that meets what GDPR requires. Companies have learned that when it comes to regulatory and compliance matters, paying attention after it’s too late can quite literally cost them everything. So, GDPR has also forced companies to take security seriously. There is no such thing as too much security and it’s important for companies to be sharply aware of their data i.e., what data you have and need versus what’s not necessary as well as understanding the controls legally required to accompany that data.
As we trend toward a data environment that’s increasingly regulated, bringing security into C-suite discussions becomes even more critical. We are out of the honeymoon phase, next is more enforcement.”
