Data privacy regulations are here to stay, and the way companies comply with these regulations will become a point of competitive differentiation. To become and stay compliant, companies must keep track of the regulations being created and enforced around the world and understand the similarities and differences between those regulations. This is a sizable topic with many levels of detail, as regulations vary from place to place. But it’s worth having a bird’s-eye view of what companies need to be on the lookout for now, and in the future, as the number of regulations will only increase over time.
The most notable data privacy regulation that has gone into effect during the past few years is certainly the General Data Protection Regulation (GDPR) of the European Union’s 28 member countries. GDPR came out of a recognition by EU nations and the businesses attempting to operate in them of the need for a unified set of policies to govern data protection and usage across the continent.
The legislation arose in part because of the myriad ways in which European countries handled data protection in the past. Previously, EU members operated within the EU Data Privacy Directive. But as the name implied, it was just that—a directive—and not a set of regulations. That led to a wide variety of practices, policies, laws, and requirements across Europe (and sometimes even within a single country), which made it nearly impossible for businesses to function efficiently while trying to understand the varying standards in each place of operation.
GDPR replaced this directive with a set of laws that all countries and companies operating within Europe had to follow. Historically, businesses have viewed additional regulations as an obstacle. However, in this case, businesses see the clear benefits of having a level playing field and predictability in terms of standards across the EU. Additionally, with GDPR, all EU citizens know exactly what to expect in terms of how companies must protect their data, regardless of where they live.
GDPR focuses on six key areas, but the main takeaway is that GDPR is a law that centers on how businesses handle the personal data of consumers, rather than a law that centers on how nation-states manage it. Companies are required to be conscious and mindful of the actions they take with personal consumer data. They also have a responsibility to comply with the six tenets of the law or risk severe penalties. Those six tenets are centered on the rights of an individual to maintain his or her privacy and include:
What’s fascinating about GDPR in comparison to the data protection regulations recently passed by California is that it focuses on protecting data and individuals from inappropriate behavior by companies but does not mention governments. This showcases the cultural differences between the U.S. and Europe, as GDPR does not address how European governments must manage their citizens’ data.
California’s Consumer Privacy Act (CCPA) is a data protection regulation passed in 2018 that takes effect in January 2020. California’s law builds on GDPR but places some additional and specific restrictions on the way governments and businesses can use an individual’s data.
In CCPA, the individual as a consumer is the central focus of the law. CCPA places controls around the commercial use of personal data. Like GDPR, the California law has six core principles, allowing citizens:
CCPA also limits how much revenue large companies can generate by selling consumer data and information.
Ultimately then, California’s law is about the rights of the individual as a consumer with regards to their data and information, whereas GDPR is about controlling what companies can do with that information.
Though these are the most noteworthy of the data protection laws that have gone into place recently, they will almost certainly not be the last. For instance, Canada currently operates under The Personal Information Protection and Electronic Documents Act, which, similar to the EU’s former directive, allows individual Canadian provinces to decide how they will protect individual and consumer data. Given the difficulties of operating in such a disjointed regulatory environment, it is likely that Canada will enact a broader national law in the future.
The same is true for the U.S. as a whole, as Congress is now considering whether to put forward a federal law that would override the rights of states to implement their own regulations on a state-by-state basis. Again, businesses may actually advocate for national legislation rather than face the challenge of having to navigate differing state laws.
Ultimately, companies have to recognize that they are operating in a new landscape in which consumers have to be careful with whom they share their own data and businesses have to be more cognizant of how they manage, store, handle, and protect customer data. Data is the new currency, and it will likely lead to competition among countries and businesses to show who is most committed to protecting their citizens’ and consumers’ privacy.
Read the Zscaler Statement on GDPR compliance and data protection.
Stan Lowe is the Zscaler Global CISO and Bil Harmer is Zscaler CISO for the Americas