Are Data Privacy Regulations Hindering Globalization?

Here's A Review Of Worldwide Trends

Dan Gunderman

Almost everywhere you look within the cyber security realm, you’ll see discussion of data – it could be identification, classification, management, privacy, etc.

The data privacy frenzy has only deepened in 2018, with the rollout of the General Data Protection Regulation (GDPR), a sweeping mandate out of the European Union (EU) imposing strict controls over enterprises maintaining individual data. The regulation creates the Data Protection Officer (DPO), imposes a 72-hour breach notification window and requires clear permissions and accessible opt-out, among other stipulations.

Many U.S. enterprises are subject to the European regulation – think multinational organizations which handle citizen data from across the world. As such, the patchwork system in the U.S. is now under the microscope – with some states (the California Consumer Privacy Act and New York’s DFS Regulation, for example) taking it upon themselves to impose strict rules.

But through this regulatory maze, is there a sense of unification and global governance? Does each regulation create immeasurable distance between each governing body?

Or, better yet: Does comprehensive data privacy regulation take away from a free-flowing global market? Or is the opposite true – and it actually enables global collaboration?

Does Globalization Take A Step Back?

According to Jim Livermore, Principal, Global Director of Information Security, CDM Smith, “Data privacy regulations, especially GDPR, add complexities to business processes that hinder efficiency and increase the cost of doing business globally.”

He said such regulations are making companies evaluate their operations in Europe, and could seriously alter business models.

Lisa Tuttle, CISO, SPX Corporation, however, elaborated on the usefulness of relevant regulations. “(They) support a free-flowing global market,” she told the Cyber Security Hub. “(But), the challenge is that most lawmakers are not technology savvy and don’t fully appreciate the operational impact of broad requirements they impose in legislation.”

Tuttle suggested that companies are not intentionally mishandling personal data. Instead, they’re constrained by legacy systems and infrastructures that weren’t implemented in the wake of privacy and security-by-design principles.

See Related: Here's Why The Board Must Be Present In Cyber Strategy

Cyber Security and Information Security Executive, Candy Alexander, told the Cyber Security Hub that “comprehensive data privacy regulations are taking away from…the global market/trade.”

She said the regulatory response to existing practices is “long overdue.” The executive even suggested that organizations “don’t take their role in protecting (data) seriously enough.”

“So…once again governments are stepping in and creating legislation or regulations to force the issue.” Yet, Alexander called some of this legislation “too prescriptive.”

She advocated for privacy regulations that define the “what,” whereas those that describe the “how” land enterprises in hot water.

What Does The Future Hold?

Moving ahead, a number of scenarios in the data privacy front could pan out. The U.S. may enforce a comprehensive data privacy regulation while Europe fortifies existing mandates. Then, patchworks slowly give way to unified data governance.

But there are numerous forecasts for the protection of sensitive data. The cyber security experts weighed in.

CDM Smith’s Livermore said data privacy regulations will “continue to expand” and factor into the marketplace. The result here, he said, could be a competitive edge for those who keep up.

See Related: Data Privacy Expert Defines 'Moving Target Defense'

SPX Corporation’s Tuttle added that, “Changing the corporate culture to implement a privacy and security framework, educating stakeholders on requirements and operationalizing compliant data governance processes are critical as digital transformation takes hold in companies.”

Alexander piggybacked off of these thoughts, saying that data privacy will only widen in the enterprise – and become increasingly complicated.

“We’ve already seen the State of California clipping the heels off the EU and the GDPR,” she said. “This will affect all business, not just the enterprise. You know the cliché, with the connectivity of the internet, our world is borderless…”

Elsewhere, the executive said that large enterprises will be more reliant on privacy professionals, and it’s not necessarily a “wise choice” to assume a security practitioner can simply step into the privacy role.

Because of that selectivity, Alexander predicted a staffing gap in privacy similar to that seen in (strictly) cyber security.

These educated guesses aside, one statement remains true: Protected data is abundant and causing headaches around the world; that means within governing bodies and even the SOC.

Stay tuned to the Cyber Security Hub for more coverage of the data privacy vertical!

Be Sure To Check Out: What To Do In An Age Of Never-Ending Cyber Threats