Data privacy issues have been prevalent in our society for
the last few years, especially when the COVID-19 pandemic broke out. New laws were introduced before then, most
notably that of the GDPR and the CCPA.
But at the height of the pandemic, many regulatory agencies
backed off from any kind of enforcement actions, because of the financial
constraints that were involved. But now
that is past news now, more audits and financial penalties are taking
place. Now, there are new data privacy
laws which have emerged, some of which include the following:
*The American Data Privacy Protection Act (also known as the
ADDPA). More information about this bill
can be seen at the link below:
*New initiatives for the Privacy Shield Program, which was
inaugurated by the FTC;
*It is expected that China and India will be introducing
some serious legislation this year as well.
At this point, at least some 100+ countries either have some
sort of data privacy law enacted, or will be introducing some kind legislation
in the near future. But here in the
United States, what will 2023 be like for data privacy? Here are some clues:
1)
Tighter budgets:
Given the fears of inflation and
the recent amount of tech layoffs, IT budgets are going to for sure be trimmed
a lot more than expected. This means
that organizations are going to have to do more with less. Meaning, there won’t be an open ended wallet
for the deployment of new controls.
Companies will probably have to make do with what they already have, or
simply upgrade them in the hopes that they will be compliant with the data
privacy laws.
2)
You need a good contact:
Even though budgets are expected to
be tight, it does not mean that you can be negligent in your compliance duties.
A recent trend has been to hire a so-called Data Privacy Office, also known as
a DPO. This was also a full time position
with benefits, much like the CISO. But
now, since many companies are cutting back, so is this role as well. But all is not lost yet. There are many Cyber vendors out there who
offer DPO services on a contractual basis, much like the vCISO. The advantage of hiring this kind of individual
is that they are paid on a contractual basis, and you can hire them/fire them
on an as needed basis. This offers a lot
of scalability options to the business.
For example, if you find yourself conducting a Risk Assessment, you can
always hire a virtual DPO for a fixed amount of time to help you with your
assessment and examine the state of your controls. The costs associated of hiring a vDPO is far,
far, less than hiring one outright.
3)
The need to be informed:
As mentioned, the amount of data
privacy laws that are going to come out is only going to grow this year, not
just in the United States, but worldwide as well. However, keep in mind that you will not be
impacted by some of these laws. Rather,
the determining factor is going to be how large your company is (in terms of
revenue), your gross revenue, where your offices are located, and most importantly,
where your customers are located as well.
This can be quite confusing none the less, so it would be a good idea to
consult with your business attorney to see which laws impact you. And if they cannot answer this, then they
should be able to refer you to a lawyer that is well versed in data
privacy. Again, there are many attorneys
out there who even offer these kinds of services as well on a virtual basis,
for a very affordable price.
4)
It’s not all about money:
When a business owner thinks of a
fine or an audit, the financial aspects of it very often come to mind. But regulators are going to step away from
this trend, and offer even newer and different kinds of penalties. For example, other than being penalized with
a stiff fine, members of the C-Suite can now also be held criminally liable as
well. Whether it is fair or not, in the end
the buck stops with them. Heck, even the
Board of Directors may tried this way also.
My Thoughts On This:
Whether these predictions pan out or not this year is still something
that is to be seen yet. But one things
for sure is that with inflation and the recent tech layoffs, things won’t be easy
for companies to become into compliance with the data privacy laws, even of
they have the best intentions in doing so.
Because of these uncertain times, perhaps regulators and auditors should
give Corporate America yet another break like they did during the pandemic.
But only time will tell.