Click to learn more about author Matt Hilbert.
Since the GDPR came into effect in May 2018, it has helped trigger a wave of new data protection regulations across the world. From Brazil and Mexico to China and New Zealand, 16 countries have announced plans to introduce GDPR-style legislation, alongside the 28 current member states of the European Union.
While there has been little movement at a federal level in the US, this isn’t true when it comes to state legislation. The California Consumer Privacy Act comes into force in January 2020, bringing in GDPR-style rules that will cover 40 million people. 12 further US states, from Massachusetts and Rhode Island to Nevada and Texas, also have proposed bills in the works. All told, over 62% of the global population is set to be covered by tougher data protection legislation.
Across all of this legislation, six major take outs have emerged.
The GDPR covers more countries than you think
Clearly, the GDPR extends across all the countries in the European Union, but it actually goes further afield. It also applies to the three countries in the European Economic Area (Iceland, Liechtenstein and Norway), as well as EU-dependent countries and territories such as French Guiana, Guadeloupe and Reunion. So any business dealing with residents of these countries and territories needs to comply with the legislation as well.
Some regulations aim to protect local businesses
Where data is stored and processed is becoming more strictly governed under new legislation. For example in Russia all data relating to Russian citizens must be processed in the country. This will mean additional costs and the need to set up local data centers in some countries if you want to do business with their citizens.
Fines for non-compliance are rising
The GDPR introduced tough penalties for those that failed to comply with the legislation – €20 million or 4% of annual turnover – and Google is already facing a fine of US$57 million. Regulations around the world are levying similar penalties with fines in Brazil, for example, amounting to 2% of gross sales or a maximum sum of US$12.9m per infringement.
Legislation crosses borders
In the same way that the GDPR covered any business handling the personal data of those living in the European Union, many new regulations also apply across borders. So where you are based as a business is irrelevant – you may still be covered by legislation if you handle the personal data of customers in a particular country.
The definition of personal data is expanding
The GDPR expanded the definition of personal data to include biometric information and identifiers such as IP addresses. Other countries and states are going even further – in China, web browsing histories will need to be protected, while in California personal data includes anything that links to a particular household, not just an individual consumer.
It isn’t your data anymore
The balance of power is shifting when it comes to data ownership, with phrases such as ‘informed consent’ and ‘limited use’ common to many new regulations. Essentially, businesses have to change their approach to data from seeing themselves as its owners to being guardians, responsible for protecting information and only using it for specific, defined and agreed purposes.
As we’ve seen, a lot of the regulations that are now being introduced use the GDPR as a template. This, however, presents an opportunity because it means that businesses can adopt a broadly common approach across the globe, tweaked as necessary for individual countries. This should make legislative compliance more straightforward by following ten steps:
1. Identify where your data is
Create a record of every database, everywhere across your business, and who has access to it.
2. Identify what your data is
Analyze the type and sensitivity of your data and categorize
it according to a taxonomy so that you can identify which information needs
protecting.
3. Identify where the risk lies
Once you know where your data is, and what it covers, you
should be clearly able to see where the risks are, and therefore be able to
take steps to address them.
4. Protect: Reduce the attack surface area
An increasing number of data breaches are due to unauthorized access by staff, contractors and third parties. Therefore, ensure you have the internal safeguards in place to create a ‘least access’ methodology, where people can only see the data they need to do their jobs.
5. Protect: Mask data outside production
Production databases are often used in development and testing to ensure that new code functions correctly. However, allowing access to sensitive data is clearly a risk, so use data masking to anonymize and encrypt information so that it remains realistic but is protected.
6. Introduce DevOps: Standardize team-based development
The same developers are increasingly involved in developing the database as well as the application. Ensure you adopt a standard approach to remove confusion and make collaboration and management simpler.
7. Introduce DevOps: Version control database code
Ensure that there is a single version of truth by version controlling database code in the same way, and integrating with the same tools, as application code. This not only speeds up development, but also provides an audit trail that can be used to demonstrate compliance.
8. Introduce DevOps: Automate where possible
Reduce the risk of human error by automating as many processes as possible. This can help to spot errors early but also aligns with data privacy requirements through a clear audit trail and documented, repeatable processes.
9. Watch: Backup every change
Data privacy regulations mean that existing backup schedules may need to change. For example, given that data should be held for no longer than is necessary, it will need to be removed from backups as well as the original database itself. Backups will also need to be encrypted and managed centrally in a documented, compliant manner.
10. Watch: Monitor for compliance
Stricter data privacy regulations mean that database monitoring needs to move to the next level, covering areas such as monitoring access and reporting breaches as soon as they occur.
The combination of the GDPR and greater consumer concerns about data privacy have transformed the global data landscape. Wherever you’re based, and wherever you operate, it’s likely you’ll need to comply with local regulations – now is the time to ensure you have the processes in place to be compliant moving forward.