Industry Insights with Chris Brook, Editor - Data Insider, Digital Guardian

Standards, Regulations & Compliance

4 Changing International Data Protection Laws to Watch

Organizations Need to Know How Privacy Laws Affect Compliance Demands
4 Changing International Data Protection Laws to Watch

With an influx of state-specific data privacy laws in the U.S. stipulating that organizations be held accountable for the data they collect on consumers, it can get easy to lose sight of the steps forward other countries have taken when it comes to laws on data protection.

See Also: AI-Driven Strategies for Effective Cyber Incident Recovery

As any enterprise that does business globally knows, there's a handful of ever-changing rules and regulations to follow when it comes to data.

In its latest data security incident report, law firm Baker Hostetler looked at a handful that organizations should pay attention to.

The firm identified four international data protection law developments from the last 12 months it tracked that could affect organizations worldwide.

EU-US Data Transfers

Regulations around the flow of data have always been a little confusing for U.S. companies that do business with Europe. That was compounded in July 2020 after the Privacy Shield, an arrangement that allowed firms to share Europeans' data with the U.S., was invalidated, and even more so last year, when new specifications were rolled out. These changes - Standard Contractual Clauses , or SCCs - require data importers to confirm that they will only disclose personal data to a third party outside of the European Economic Area.

The European Union and the U.S. announced that they had agreed "in principle" to a new framework for cross-border data transfers. The arrangement - the Trans-Atlantic Data Privacy Framework - still needs to be translated onto legal documents and formally adopted on both sides, something that compliance officers will no doubt be tracking as we move forward as well.

Digital Guardian's industry-leading DLP can help organizations automatically identify and protect GDPR regulated data, whether it's in use, in transit or at rest.

China's New Data Protection Laws

China passed not just one but two data protection laws in 2021: the Data Security Law, in effect since Sept. 1, 2021, and the Personal Information Protection Law, in effect since Nov. 1 2021.

Integral to the DSL are data classification requirements. Organizations inside and outside of China that use and process data need to have a system in place that emphasizes data security management, ongoing assessments, regulatory reporting, and effective risk monitoring and remediation.

While organizations may not think that another country's data protection law applies to their company, PIPL in particular has global reach. The law covers the processing of personal information of individuals located in China, including when that data is processed out of China, such as when an organization offers goods and services in China or analyzes the behavior of individuals in China.

Cookies and Changes to Tracking Technology

This item isn't going to be a surprise for anyone who caught the recent news about how websites in France are being ordered to stop using Google Analytics, as the country's data protection authority, Commission Nationale de l'Informatique et des Libertés, or CNIL, has found the service conflicts with guidelines laid out by the General Data Protection Regulation.

Data protection authorities in the Netherlands, Finland, Italy, Turkey and China are weighing similar moves, considering action against companies that collect too much information on consumers. "Companies using non-essential cookies and other tracking technologies should be on the lookout for growing compliance demands," the law firm writes.

Healthcare Data

Organizations that collect healthcare data are no doubt aware of their obligations to the law but an increase in COVID-19 data, such as individuals' vaccination statuses, has muddied the water considerably. Ultimately, matters are being decided on a country-by-country basis; Ireland, for example, last summer said that "the collection of employee vaccination data is likely to be unnecessary and excessive with no clear legal basis."

The report is encouraging organizations to keep tabs on how their country views regulation around healthcare data to avoid scrutiny.

"The use of health data has continued to be a hot spot for proactive data protection authority audits, and individual complaints of alleged health data misuses have also resulted in a number of recent regulatory enforcement actions," the firm writes.

Digital Guardian's compliance solutions, which combine data discovery, data classification and data loss prevention, can locate and protect sensitive patient data in use, in transit and in storage throughout an organization's existing infrastructure and help enable care providers while protecting patient data.

Regardless which compliance regulations your organization is subject to, Digital Guardian's compliance solutions can help stop the theft or loss of regulated data such as personally identifiable information - PII - or personal health information - PHI - across communication channels, including data carried over SSL- encrypted sessions.

It's the industry's most easily deployed and managed enterprise DLP, protecting regulated data in healthcare, financial services, government, retail and other industries.

This article originally appeared on the Digital Guardian blog on April 12, 2022.



About the Author

Chris Brook, Editor - Data Insider, Digital Guardian

Chris Brook, Editor - Data Insider, Digital Guardian

Editor - Data Insider, Digital Guardian

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.




Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.