Sunday, January 29, 2023

4 Data Privacy Law Issues You Need To Know For 2023

 


Data privacy issues have been prevalent in our society for the last few years, especially when the COVID-19 pandemic broke out.  New laws were introduced before then, most notably that of the GDPR and the CCPA. 

But at the height of the pandemic, many regulatory agencies backed off from any kind of enforcement actions, because of the financial constraints that were involved.  But now that is past news now, more audits and financial penalties are taking place.  Now, there are new data privacy laws which have emerged, some of which include the following:

*The American Data Privacy Protection Act (also known as the ADDPA).  More information about this bill can be seen at the link below:

https://www.darkreading.com/edge-articles/federal-privacy-bill-that-would-preempt-state-privacy-laws-faces-uncertain-future

*New initiatives for the Privacy Shield Program, which was inaugurated by the FTC;

*It is expected that China and India will be introducing some serious legislation this year as well.

At this point, at least some 100+ countries either have some sort of data privacy law enacted, or will be introducing some kind legislation in the near future.  But here in the United States, what will 2023 be like for data privacy?  Here are some clues:

1)     Tighter budgets:

Given the fears of inflation and the recent amount of tech layoffs, IT budgets are going to for sure be trimmed a lot more than expected.  This means that organizations are going to have to do more with less.  Meaning, there won’t be an open ended wallet for the deployment of new controls.  Companies will probably have to make do with what they already have, or simply upgrade them in the hopes that they will be compliant with the data privacy laws. 

2)     You need a good contact:

Even though budgets are expected to be tight, it does not mean that you can be negligent in your compliance duties. A recent trend has been to hire a so-called Data Privacy Office, also known as a DPO.  This was also a full time position with benefits, much like the CISO.  But now, since many companies are cutting back, so is this role as well.  But all is not lost yet.  There are many Cyber vendors out there who offer DPO services on a contractual basis, much like the vCISO.  The advantage of hiring this kind of individual is that they are paid on a contractual basis, and you can hire them/fire them on an as needed basis.  This offers a lot of scalability options to the business.  For example, if you find yourself conducting a Risk Assessment, you can always hire a virtual DPO for a fixed amount of time to help you with your assessment and examine the state of your controls.  The costs associated of hiring a vDPO is far, far, less than hiring one outright.

3)     The need to be informed:

As mentioned, the amount of data privacy laws that are going to come out is only going to grow this year, not just in the United States, but worldwide as well.  However, keep in mind that you will not be impacted by some of these laws.  Rather, the determining factor is going to be how large your company is (in terms of revenue), your gross revenue, where your offices are located, and most importantly, where your customers are located as well.  This can be quite confusing none the less, so it would be a good idea to consult with your business attorney to see which laws impact you.  And if they cannot answer this, then they should be able to refer you to a lawyer that is well versed in data privacy.  Again, there are many attorneys out there who even offer these kinds of services as well on a virtual basis, for a very affordable price.

4)     It’s not all about money:

When a business owner thinks of a fine or an audit, the financial aspects of it very often come to mind.  But regulators are going to step away from this trend, and offer even newer and different kinds of penalties.  For example, other than being penalized with a stiff fine, members of the C-Suite can now also be held criminally liable as well.  Whether it is fair or not, in the end the buck stops with them.  Heck, even the Board of Directors may tried this way also.

My Thoughts On This:

Whether these predictions pan out or not this year is still something that is to be seen yet.  But one things for sure is that with inflation and the recent tech layoffs, things won’t be easy for companies to become into compliance with the data privacy laws, even of they have the best intentions in doing so.  Because of these uncertain times, perhaps regulators and auditors should give Corporate America yet another break like they did during the pandemic.

But only time will tell.

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...