The risk of loss of personal data, theft of intellectual property (IP) and other cyber attacks on business has risen dramatically, with an estimated 39% of UK-based businesses having reported cyber security breaches or attacks in 20211. The digital technology and online systems organisations rely on for critical business and operational tasks continue to grow and diversify. With this ever-growing dependence on technology comes a greater risk of cyber incidents, not only for the organisation itself but for the state in which these business operations take place.
In response to this fast-changing landscape, organisations are facing increased compliance and regulatory pressures across the globe. Increasing divergence in national regulations covering data, cyber and technology creates challenges for global businesses seeking to comply with a growing number of rules and regulations. This has required greater involvement from legal counsel and other groups to ensure continued effective compliance and protection in the cyber security domain.
What challenges do these changes create for organisations? And what do they need to be aware of to stay ahead and thrive in this increasingly complex environment? Proactively understanding the risks you face and drivers of regulation has never been more important.
GDPR driving regulation
The European Union’s (EU) General Data Protection Regulation (GDPR) has been at the forefront of driving change for data protection for several years, but the EU is increasingly also seeking to share the agenda in the wider digital and technology domain, across digital markets, emerging technologies, Artificial Intelligence, data governance and cyber security and resilience – particularly in critical national infrastructure.
As a fundamental norm-setter for data protection, GDPR has had an influence across the globe. At GDPR’s centre is the focus on data and protection of the individual from poor or non-consensual management of their data by organisations, allowing the individual to take control of their information. It has been seen as a crucial foundational element with which to build further regulations. This is contrasted with other regulations such as The Personal Information Protection Law in China. As with GDPR, it makes provisions for the individual’s control over their personal data. However, that individual responsibility is only part of a larger program of the state and party to mitigate national security and social stability threats to the data.
Is data regulation a potential barrier to the technology ecosystem?
The collection, storage and use of data has become a critical asset in the modern world and is very much at the centre of geopolitical relations. Countries must now have a strategy and position themselves to remain competitive and not fall behind in this complex environment.
As a result, national security interests are increasingly driving regulation, particularly in the realm of protecting critical infrastructure. As we see these regulations come into force, new digital borders could be drawn, posing a fundamental challenge to the free-flowing, transnational nature of global business that organisations rely on. National security and data localisation drivers could recreate the boundaries that theoretically had been eroded by technology, with states looking to protect this highly prioritised asset.
The importance of data within a wider national security framework means organisations can no longer see the data they create and hold as exclusively belonging to them.
What are organisations experiencing?
With regulations transforming how organisations can use technology and handle information, the key question is, what does the new regulation mean for the data they hold? Not only is there a need to implement strong controls and processes to protect and manage data, but organisations must also develop robust governance and compliance functions to ensure controls meet changing requirements.
Multinational organisations are faced with many complex compliance requirements in all regions where they do business. Despite similarities across these regulations, there is also divergence. For example, incident reporting requirements can vary significantly, from the threshold of reporting to the specific requirements in case personal data has been breached.
For many organisations, they may not in fact hold data that falls within the scope of regulation. However, unless there are processes in place that enable you to classify that data, establish what the criteria are, and demonstrate that your data does not fall under the definition of regulated data, organisations leave themselves vulnerable. Without an effective process, it will be all too easy to get caught up in attempting to comply with a regulation that doesn't necessarily apply to your organisation.
The enforcement of regulations
The enforcement of breaches in personal data has matured after the introduction of GDPR. However, the levels of enforcement across countries can vary significantly, making compliance a real challenge for organisations operating under different regulatory frameworks.
Despite big breaches and big reactions, there has not yet been significant regulatory action as regulators are conscious that organisations need time to implement and embed these new regulations, which doesn’t happen overnight. This means that there is going to be a bleed in time for regulations to come into place as companies adapt and as technology emerges.
Elements of cybersecurity regulation are also maturing, particularly in areas focused on critical infrastructure. As these elements fall into place – and depending on how current geopolitical relationships continue to strain and possibly fracture – this can become a growing priority for enforcement. The national security questions that policymakers have can all too easily be prioritised over the impact on businesses. High-profile breaches have included the large tech giants with tens of millions of people’s data, feeding into wider anti-monopoly concerns globally. These giants grew to be giants at a time when regulation in this space was light, but now that there is a greater national security focus, the risks involved with a potential breach could be seen as too great leading to strong anti-monopoly regulation.
The future of the space for business
With the potential for such rapid growth and diversification of regulation globally, organisations are faced with uncertainty that will need to be navigated.
As COVID triggered renewed focus on the criticality of supply chains around the world, we may be heading towards a challenging future for technology and digital supply chains – and the organisations relying on them. Having started with the regulation and enforcement of personal information and data, regulators are now switching their focus to critical infrastructure; a focus increasingly prioritised due to growing geo-political tensions and state-sponsored cyber activity.
Looking forward, the direction of technological development and business is towards greater mobility and the cloud. With this, cloud service providers are moving towards solutions to assist with compliance by storing personal data in-country, under the correct conditions to meet compliance requirements. The gap in this market for providing compliance and data hosting services to organisations is starting to be filled. This however is the easier part of the puzzle. The critical questions for organisations will be what data they are holding and what systems are they using to process it.
The key challenge facing organisations will be to stay ahead of the curve and adapt to the ever-changing legal and regulatory framework, and ensure that organisations are equipped to manage and respond to incidents impacting their data, assets and systems.