With multiple US states adopting GDPR-like legislation, and MENA countries also enacting stringent privacy legislation, securing personal data is more crucial than ever.
In the 1960s, privacy pioneer Dr. Alan Westin defined the concept of data privacy as:
...the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.
By the 1990s, much of the world had adopted this definition, and Westin is considered as the father of modern privacy legislation. However, the scope of the data requiring protection has changed beyond recognition since that time.
Several factors have influenced the changes in the data environment, including:
The volume of digital data stored globally is doubling every 2 years. By 2019, 45 trillion GB of data existed worldwide, with 1GB equating to approximately 60,000 pages of email. In the last decade, companies have invested around $5 trillion in data storage alone. Digitization means that 98% of data is never put into paper format. Digital data storage and retention is hugely expensive.
This has made data privacy increasingly complicated. Basically, governments struggle to understand fast-paced developments in technology and legislate accordingly. For example, the Metaverse interacts with HIPAA requirements, given the existence of telemedicine. AI and machine learning may create a whole further set of data privacy challenges.
For example, the EU General Data Protection Regulation (GDPR), enacted in 2018, requires compliance from all organizations handling the personal data of EU data subjects. Hefty penalties, often highly publicized, are imposed for noncompliance. The US has no uniform equivalent to the GDPR and has traditionally relied on a patchwork of industry-specific regulations designed to protect consumers. However, many US states are now enacting data privacy legislation that resembles the GDPR. For example, California, Connecticut, Utah, and Virginia are enforcing legislation in 2023, while Michigan, Ohio, and Pennsylvania did so in 2022. In due time, other states have indicated that they will follow suit.
In the EU, data privacy is approached from a human rights perspective, while consumer protection has been the main approach in the US. New regulatory frameworks are now coming into play across the US and globally that take the same stringent, rights-based approach to protecting data subjects as the EU takes with the GDPR. This extends to the MENA region, with Saudi Arabia and UAE just two examples of countries that have brought in a Personal Data Protection Law (PDPL) in recent years.
All organizations that process data related to individuals residing within the EU must comply with the GDPR. In summary, the main stated goals of the GDPR regulation include:
A DPO, or Data Protection Officer, is a mandatory role defined in the GDPR. Under the GDPR, organizations must appoint a DPO if they fall into any of the following categories:
If you fall into any of these categories and fail to appoint a DPO, you can face penalties of up to €10 million, or 2% of your annual turnover. Occasionally, these huge fines make headlines and can cause much reputational damage to an organization. For example, in 2021, Amazon was fined $887 million (the largest GDPR fine ever) and WhatsApp was fined $227 million for breaches of the GDPR. Meta kicked off 2023 with a $400 million fine from the Irish Data Protection Commissioner in relation to ad targeting and data handling practices that were judged to be in breach of the GDPR. In the longer term, hiring a qualified DPO can result in substantial long-term savings for businesses.
A DPO monitors compliance, provides information and advice, coordinates with the supervisory authority, and serves as a privacy consultant. In our current regulatory landscape, it's no longer enough to have a Chief Information Security Officer (CISO) to oversee the technical aspects of data security. Unquestionably, DPOs (sometimes called Chief Data Officers) are also necessary to take the lead on data governance and strategy. Basically, DPOs advocate for the customer whose data is being processed.
A DPO acts like a regulator within your organization. In order to fulfill their roles effectively, DPOs must be entirely free from conflicts of interest. This means that they cannot:
A DPO can, however, report to a C-suite executive or to the Board of the organization that employs them. However, an employer cannot instruct their DPO on any aspect of how to investigate a complaint, the desired result of an investigation, or whether or not to consult the Supervisory Authority. The GDPR also prohibits employers from encouraging their DPO to follow any specific interpretation of data protection law. Additionally, an employer cannot fire a DPO for making an unfavorable decision.
While the concept of an independent DPO with no conflicts of interest is relatively new to the US, it has existed in Europe for quite some time. Although the role of DPO is specific to the GDPR, it is increasingly relevant across the world, with legislation similar to the GDPR increasingly coming into effect.
If you are an enterprise, you are ultimately responsible for compliance under the GDPR, not your DPO. Furthermore, you must provide your DPO with certain supports. These supports include:
Additionally, you must publish the contact details for your DPO and provide these details to the relevant regulatory authorities. In fact, appointing a DPO with a conflict of interest can result in a €10 million fine or a fine of 2% of the company's annual global turnover (whichever is greater).
In truth, any effective action you take to support your DPO can only result in a win for the well-being of your organization. Compliance with data protection and privacy regulation is not only the ethical option. In the long run, it is also great for your organization's reputation and financial welfare.
Provide comprehensive data privacy training as an inherent part of your employee on-boarding process, as well as ongoing refresher training. The massive transition to work-from-home in 2020, and subsequently to hybrid working models, was accompanied by the migration of huge amounts of data to the cloud. Obviously, the need to cultivate a robust employee awareness of security and privacy concerns is more vital than ever before.
Having a public-facing privacy policy is great, but it must adhere to all the current legislation around privacy that is relevant to your organization. Specifically, in the current rapidly changing regulatory environment, this means regularly reviewing the policy and ensuring that any changes to it are clearly and accurately communicated both to employees and your public.
Vendors processing data on your behalf must comply with any new data privacy legislation. Accordingly, it's vital to ensure that vendor contracts reflect any new obligations.
Use strategies such as predetermined workflows, digital rights management, and data retention policies to ensure your data life cycle is compliant with the regulatory requirements for your industry.
There are various tools available on the market that enable compliance with data privacy regulations. FileCloud's hyper-secure file-sharing platform, for example, with its fully integrated compliance and security features, is one of the most robust. With FileCloud's user-friendly Compliance Center, you can easily organize your data compliance rules and parallel security features. Additionally, you can adjust configuration settings without the use of complicated code, save and share event logs with relevant personnel, and explore data privacy best practices.
To find out more about how FileCloud can help with your GDPR and other compliance needs, check out our YouTube webinar How FileCloud's Compliance Center can help you meet GDPR compliance.
You can start a free trial of FileCloud at any time to see for yourself. In fact, you can sign up any time for a 15-day trial for FileCloud Online. If you wish to try out FileCloud on your own infrastructure, you can have a 30-day free trial of FileCloud Server.
Baker Donaldson. (Producer). (2022). Privacy and Data Protection for the New Year [Video].
https://www.youtube.com/watch?v=8664IWxwgZE
Banker Donaldson. (Producer). (2022). Ethical Issues in Defensible Disposition [Video].
https://www.youtube.com/watch?v=ZsAkND61hV4&t=366s
Farber, D. (Producer). (2018). Everything you Need to Know about The Data Protection Officer Role [Video].
https://www.youtube.com/watch?v=AMDmeCvPHbM
World Bank Group. (Producer). (2022). Data Privacy Day 2022 | Roundtable with Global Data Protection Authorities [Video].
https://www.youtube.com/watch?v=0KSn8S41Z7I
Written by Deirdre Clancy, Technical Content and Communication Manager