New data regulation in business, such as the GDPR and the CCPA can be interpreted by businesses in two ways.
The differences between them could be criticised for their lack of consistency, with the CCPA going further in terms of companies’ responsibility to be transparent, for example. Different terminology and definitions cause confusion and businesses often comply perfectly with one law, but not an other.
However, the laws could provide an important legislative bases for business to work from, making it possible for companies to adapt before more laws of this kind are introduced.
As the trend in this type of regulation continues, we asked business leaders whether they think regulation will be good or bad for business.
How can businesses navigate the increasingly complex EU compliance landscape?
The good
Consistency and a solid foundation of legislative guidance is a positive pointed out by Tim Sadler, CEO, Tessian.
He sees laws like the GDPR and the CCPA as steppingstones to get businesses building better and more secure internal data collection infrastructure.
“Regulations like GDPR and CCPA have provided much-needed consistency when it comes to the protection of data. It’s led to an important exercise in data mapping and understanding how data is protected and how it flows in and out of an organisation. It’s also ensured that individuals take responsibility and ownership of the issue internally.”
An increase in security of data is crucial, Sophie Chase-Borthwick, director of Privacy Services and Data Ethics, Calligo says. She stresses the ancillary benefits that companies will get if they integrate privacy protocols as a matter of course.
“While the requirements of GDPR and more recently CCPA have been seen as a potential bugbear by many business leaders, it’s clear the benefits of becoming a more data mature business outweigh any so-called “expense” of effort to put privacy adherence measures in place.
“Data privacy impacts data handling throughout entire organisations, meaning every business process comes under scope. Therefore, working to inject greater rigour and governance into data processes – i.e. taking a ‘Privacy by Design’ approach — will give businesses such visibility of their data that ancillary benefits cannot fail to follow.”
Chase-Borthwick also makes it clear that a voluntary and reciprocal relationship with data sources, such as consumers and visitors to websites, will win companies more credibility, improving their reputations.
“Marketing professionals for example could be forgiven for thinking that data privacy regulation is enough to make them refocus their entire marketing strategy,” she says.
“However, a more thorough understanding of the data capture processes and the subjects’ rights and permissions, and the limitations that this may pose to ongoing communications, encourages marketers to work harder on targeting and on producing high-quality campaigns that secure voluntary, deliberate engagement and audience buy-in, which itself brings clear commercial benefits.”
This is potentially the biggest opportunity this regulation opens businesses up to, a chance to connect with the consumer, which repeated studies have shown, is crucial for business success — actually understanding the value of consumer data and collaborate with the consumer to get the most out of it.
Finally, Chase-Borthwick discusses the beneficial aspects that adherence to regulations can have for internal business structures.
“Similarly, development teams benefit as privacy is placed at the beginning of projects, and not permitted – as is usually the case — to be retrospectively added at the end of the timeline. The latter approach almost guarantees that privacy becomes a “business blocker” as benefits are curtailed and objectives are made impossible to meet. Place it at the beginning of the process, and ethical workarounds can and will be found that still allow the project to be a success.”
Will data regulation lead to increased security risks?
The bad
Joe McManus, director of security and robotics at Canonical, takes issue with how the regulation is being enforced, stating that there is not enough clarity and not nearly as consistent as it should be.
“Regulation is only as good as the ability and willingness to enforce it. Take the recent IoT legislation from the Department for Digital, Culture, Media and Sport, which seeks to safeguard consumers against connected devices, and yet the recommendations are still voluntary. As the race to get everything internet connected continues companies are taking shortcuts and not considering security when building IoT devices.”
He also sees the differentiated and decentralised nature of global regulation as a potentially growing problem for businesses.
“Add to this the fragmented nature of regulation, with individual countries developing their own laws, and a lack of standardisation is bound to create contention. Vast numbers of IoT products are developed outside of a legislation’s geography, meaning individual security risks are harder to track and police. If manufacturers struggle to keep pace with regulation from every corner, then security threats could well increase over time.”
The convolution of legislation in McManus’ eyes could actually engender more security issues, while companies navigating this kind of legislation will struggle to keep up with the ever-evolving stipulations and requirements.
With the possible saturation of legislation like the GDPR and the CCPA, the New York Privacy Act (NYPA) and the California Consumer Privacy Act 2.0 being the most potent examples, smaller data collection companies might struggle to have the resources required to meet the increasing demands placed on them.
What to expect if the New York Privacy Act is enacted, following the privacy regulation boom of GDPR and CCPA
The ugly
Some requirements placed on companies by the CCPA are not stipulated in the GDPR. Sadler summarises this inconvenient inconsistency.
“Compliance is not without its challenges, though. Namely, while organisations may be compliant with the GDPR, they are not automatically compliant with CCPA. GDPR, for example, requires that companies gain consent for gathering certain data and communicate how it may be used,” he explains.
“The CCPA goes further; companies must create a channel for consumers to request information about what data is collected and how it is being used. Companies must also notify consumers when their personal data is sold to a third party. Businesses must understand the specific measures that need to be taken.”
The NYPA may go even further still and might contain even harsher provisions if failure to meet its standards occurs.
This could cause serious issues for medium sized companies who don’t have the resources of large multi-nationals but still operate in areas where three different laws of varying severity and rigor exist.