Regulate or perish, Understanding Data Regulation Today
If you’ve even been following the news, even casually, you would have noticed that a good part of 2018 was spent discussing data privacy or the lack of it thereof. What is now well established is that an average individual knowingly or unknowingly shares a substantial amount of their data with online services. The fight for individual privacy dates back to a Harvard Law Review article authored in 1890 by Brandeis and Warren. From the time of the “right to be let alone” back in 1890 to “the right to be forgotten” which became part of mainstream consciousness in 2014, the case for data privacy has gained considerable momentum. Now, organizations are being increasingly held accountable for protection of data they store of their employees and customer. The onus of protecting private data has undergone a shift from being an individual’s responsibility to being one of the organization’s responsibility.
Most regulations though ask for the same basic compliance of organizations:
- Know what you have
- Manage access to what you – and make sure it doesn’t fall in the wrong hands
- Protect / Save what you have – so you don’t lose it in case of a disaster
- Prove that you have processes that are doing the above on a regular basis
The only thing that is constant is that regulations are increasingly making organizations more and more accountable for the data they own – and that trend is unlikely to change, at least in our lifetimes.
The most recent in the series of regulations that have come into enforcement is the GDPR. GDPR is groundbreaking in several ways, not least of which is the fact that the penalties for non-compliance are steep – steep enough to get the attention of almost all businesses worldwide.
For one thing, the GDPR tends to place citizen rights on a higher plane than the Executive Branch’s right to collect information on its citizens. There is also a better attempt to define what ‘personal data is. This may not be as straightforward as simply saying let me look for PII – like Social Security #s or Aadhaar #s or PAN #s and remove them. Any data that singly OR in conjunction with other data to identify an individual. So, you need to be mindful of seemingly disparate pieces of information about a person which individually won’t uniquely identify them – but when to put together can uniquely identify a person. GDPR also has strict rules about notification and even going public within 72 hours of a breach. Also, as I mentioned earlier, GDPR has teeth, more so than previous regulations. It can hurt organizations where it matters most – penalties can be as high as 4% of annual revenues, not to mention the negative public relations fallout.
The GDPR came into effect in May of 2018, in an effort to protect the data of anyone residing in EU, and is designed to come into more complete effect during 2019. It has served to usher responsible management of personal data through mature IT governance, transparent processes and modern applications. Several nations have privacy protection laws already and many are following the lead of GDPR and are amending their laws to match the same rigor GDPR brings. Australia has the Privacy Act which came into effect in 2014. Japan has the Act on the Protection of Personal Information (APPI), South Korea has the Personal Information Protection Act (PIPA), Philippines, the Data Privacy Act (DPA), while Singapore and Taiwan both protect personal information using their respective Personal Data Protection Act (PDPA).
Closer home, India’s Information Technology ACT of 2000, doesn’t come close to the type of protection GDPR affords, but India has already drafted legislation in the form of the Personal Data Protection bill during 2018 and it probably won’t be long before India also has its own GDPR equivalent.
Like to know more about regulation, especially GDPR? How will GDPR affect your business? And how to comply with GDPR? Watch this space for more!