Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

3/29/2017
03:30 PM
Dimitri Sirota
Dimitri Sirota
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Privacy Babel: Making Sense of Global Privacy Regulations

Countries around the world are making their own privacy laws. How can a global company possibly keep up?

In the world of data privacy, the European Union General Data Protection Regulation (EU GDPR) has grabbed most of the headlines. But although the EU GDPR is a landmark piece of legislation and affects all companies that store or process data on EU citizens, it's by no means the only one that global organizations must now navigate.

Globally, some 65 countries have either passed new privacy legislation in the last year or have legislation pending,   including China and Brazil. The impetus for the growing emphasis on data privacy and protection is consumers' widespread unease about the impact of digital business on the privacy of their data,   compounded by ongoing breaches to extract personal data. Regulators and legislators across the globe are intensifying efforts to spell out requirements for collecting, storing, processing, and sharing consumer and customer data.

The specifics of privacy legislation — whether in terms of consumer rights such as the "right to be forgotten," data retention requirements, or the need for data privacy officers  —  vary widely by jurisdiction, along with the ability to actually enforce the legislation or regulations and impose penalties. Although the severity of fines and penalties varies from country to country, penalties have grown in size, and regulators have become more comfortable using them.

In this context, the EU GDPR heralds the most significant change for data privacy in the digital era, but not only because of the technical requirements or even the stipulation for data protection officers under certain circumstances. Instead, it's the magnitude of the penalties for violations and the expressed willingness of regulators to impose a fine of up to 4% of a company’s worldwide revenue that is grabbing business attention.

In tandem with more explicit requirements on their responsibility across jurisdictions, organizations must also conform to the expanding definition of what constitutes personal data —  whether biometric data in the case of the EU GDPR or MAC addresses or cookie IDs in the case of new privacy regulations proposed by the Federal Communications Commission in the US.

In its recent enforcement decisions, Singapore's Personal Data Protection Commission has argued that context matters: violations of personal data protection requirements when the data is "of a sensitive financial nature" is more likely to draw fines. For companies looking to comply with new privacy regulations, it will therefore increasingly be expected that they can find any personal data accurately across an extended enterprise.

Certainly, many regulations and requirements will more closely resemble the GDPR's provisions as they near approval and the governing principles will become a point of comparison. However, it's important to understand that differences in approach will persist. For instance, the EU's GDPR takes a comprehensive stance across a regional block. In contrast, the US is more of a patchwork, made up of state regulations and federal regulations that are often industry specific. A clear example of this is the current battle between the FCC and Federal Trade Commission on who gets to define digital privacy for carriers.

However, the extent to which the requirements are spelled out shows a wide divergence. For instance, even in the context of the GDPR, the requirement for having a data protection officer is only mandatory when the organization is a public authority and engages in large-scale systematic monitoring or large-scale processing of sensitive personal data. Under Singapore's Personal Data Protection Act, it's up to the organization to decide whether it should appoint a full-time data protection officer or have the function subsumed under another responsibility.

So, how does a multinational company manage differing definitions of personally identifiable information and different requirements around subject access, notification windows, and processing traceability?

The first step is the most obvious one: mapping business operations to data privacy jurisdictions. And it's important to understand the underlying principles that frame the legislation: whether comprehensive, specific to an industry sector, or defined in collaboration with industry.

However, the foundation of protecting the privacy of personal data relies on consistent application of privacy policies and, more importantly, accurate intelligence on the data that is being protected. All regulatory requirements share the need to know what data you're storing, who that data belongs to, where that data is located, who is accessing that data, what consent has been approved around that data, and where that data is being used. Without that foundational knowledge, it's impossible to accurately determine whether an organization is compliant with a specific regulation. It's also impossible to govern that data. No intelligence, no control. And without control, the risk of penalties and breaches grows.

Related Content:

Dimitri Sirota is a 10+ year privacy expert and identity veteran. He is CEO and cofounder of data protection and privacy software company BigID. Prior to starting BigID, Dimitri founded two enterprise software companies focused on security (eTunnels) and API management (Layer ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/29/2017 | 8:44:58 PM
4%
> the expressed willingness of regulators to impose a fine of up to 4% of a company's worldwide revenue that is grabbing business attention.

Of course, saying one thing and actually doing it are two completely different things.  (I also strongly suspect that the EU will be harsher to US companies than European companies -- or possibly even other non-European countries.)

Take VW, for instance, and the regulatory scandal that emerged when it was discovered that VW had been misrepresenting facts about its diesel vehicles.  The amount the US government could have fined VW at maximum would almost certainly have bankrupted and destroyed VW.  That, of course, did not happen.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...