1

Search
Home My Network Jobs Messaging Notifications Me Work Learning

Data Protection and Privacy Regulations - Impact on

Business
Published on October 4, 2019

Sohail Munir
Advisor for Emerging Technologies and Digital Transformation at Smart Dubai (Dubai Digital Authority) | Thought Leader in Blockchain in
Government, Digital Identity, GovTech, & GovTech | Active Research in AIOps & DevOps
1 article Follow

Introduction

In today’s age the biggest asset an enterprise holds, be it a Brick and Mortar company, a Digital Commerce provider, a
Cloud Service provider, a Telco, an FMCG or even a Government is the Data of its customers and constituents. As
Clive Humby, a British mathematician famously said: “Data is the new oil.” While new immensely lucrative business
models have rapidly evolved around Data and completely revolutionized how we do business and even Governments
have also evolved how they provide services to their constituents; at the same time serious concerns have been raised
around security and privacy. Concerns are also increasingly raised on the enormous power wielded by the Big Tech
GAFA (Google Amazon Facebook Apple) or China’s Alibaba on today’s world economy which is due to their
dominance and control of the data economy. Today every action of ours’ generates enormous amounts of data and
personal data is used to cater to the needs of the individual; whereas large collective and anonymized datasets are used
by AI, Machine Learning and Data Analytics systems to generate rich insights which can be used to cater to the societal
needs or for more sinister purposes like controlling and maneuvering the public opinion (like the Russians did as
claimed by the US President Trump).

Data Privacy Regulations

There certainly is a need for government oversight and regulation on how data is gathered and handled so that this asset
can benefit our society while at the same time protecting the individuals. To achieve this objective almost all
jurisdictions, have laws and regulatory frameworks in place addressing data privacy and protection. European Union
had the Data Protection Directive (DPD) since 1995 on the protection of individuals with regard to the handling and
processing of personal data. DPD was complemented by other national laws promulgated by member states; e.g.; Data
Protection Act (DPA) in the UK, the Netherlands, and Spain. Jurisdictions like Australia, Dubai, Hong Kong, Japan,
and Singapore have Australia's Notification Law (ANL), Dubai Data Law (DDL), Personal Data Privacy Ordinance
(PDPO), Act on the Protection of Personal Information (APPI) and Personal Data Protection Act (PDPA) respectively.
China has had a set of laws with far-reaching implications governing Data Privacy and Data Security. The successor of
these laws and regulations in China is the Cyber-Security Law (CSL) which has been in force since June 2017 and it
regulates not only enterprise data security but also online speech and censures behavior that poses a threat to the
Chinese government. In the US, on the other hand, there is no single comprehensive law or regulation on the handling
of personal data. Laws like NIST 800-171, Health Insurance Portability and Accountability Act (HIPAA), US Federal
Trade Commission Act (FTC Act) and Gramm-Leach-Bliley Act (GLB Act) coupled with state regulations like the
California’s Electronic Communications Privacy Act or New York’s General Business (GBS) Article 39-F and State
Technology Law (STT) Article 2 form the core of self-regulatory framework that the industry complies with.

A good example of self-regulation is Privacy by Design (PbD),

which is revolutionizing how digital services are created with
privacy at its core.

In addition, the EU-US Data Exchange is governed by the EU-US Privacy Shield Framework. It is expected that
NIST’s Cyber Security Framework (CSF) will play a major role in the evolution of a regulatory regime with regards to
Data Privacy and Protection in the US and implicitly in the rest of the world. The biggest impact so far, however, in this
space is created by EU’s General Data Protection Regulation known as GDPR which came in force on May 25th, 2018.
Even though it was an EU centric law designed to harmonize data privacy laws across Europe while protecting and
empowering all EU citizens data privacy but it had far-reaching implications affecting anyone not only doing business
with EU members but even with EU subjects in other jurisdictions. Today it is arguably the single most impactful
regulation affecting technology and non-technology businesses alike in the EU, the US and the rest of the world.

The challenge that businesses have is that they do not have to deal
with one set of regulatory requirements or are subject to a static
regime but have to deal with multiple complex, often contradictory
and ever-evolving laws and regulations across multiple
jurisdictions.

Impact of GDPR

EU’s GDPR which became effective on May 25th, 2018, sets strict rules for the legitimate usage of personal data,
offers a stronger position to citizens to control their data and imposes high fines on data abuse, for which the data
processor will be held responsible. Under GDPR, entities that breach regulation compliance can be fined up to 4% of
annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the
most serious violations. These fines apply to breaches of many of the provisions of the GDPR, including failure to
comply with the six general data quality principles or carrying out processing without satisfying a condition for
processing personal data. There is a grade-level approach to penalties, a limited number of breaches fall into a lower
tier and so are subject to fines of up to 2% of annual worldwide turnover or €10 Million; e.g. a company can be fined
2% for not having their records in order or not informing the management authority and data subject about an
infringement or not conducting an impact appraisal. These rules apply to both controllers and processors–e.g. internet
cloud servers will be included in the regulation enforcement.

Even though GDPR is an EU law, but applies to any EU or Non-EU

domiciled business that handles personal data of EU residents.
This is even applicable even if an EU citizen is residing in another
Non-EU jurisdiction.

The rules cover almost anything that can be linked to an individual: addresses, credit card numbers, travel records,
religion, web search history, computer ID codes, biometric data, and more. In the words of Facebook COO Sheryl
Sandberg “The law will affect almost everyone [because businesses] all use data to improve their services.” Speaking
of Facebook, had the Cambridge Analytica scandal where they mined millions of Facebook accounts without users’
knowledge and explicit consent, happened after May 25, 2018, Facebook may have been slapped penalties of more than
$1.5 Billion (4% of Facebook’s global revenue) by the EU. Ernst & Young estimates the cost of GDPR compliance for
the 500 of the world’s biggest corporations to be $7.8 Billion which includes deploying GDPR compliant software
which controls data access and creates audit trails and to designate Data Protection Officer(s). More importantly,
companies would have to significantly modify and change their data collection and handlings strategies. They must
ensure and certify individual privacy and can only collect the minimum amount of data required to provide the service
and cannot hold beyond the time period necessary to offer the service. They have to implement PbD in letter and spirit
and that the constituents have the right to be forgotten. Businesses also have to ensure any data breach is reported to the
regulators and in many cases to the affected individuals.

Dealing with Regulation and Compliance

As we can see that globally regulations are rapidly evolving putting businesses at risk of non-compliance and
significantly increasing the cost of doing business. Many frameworks have been developed to help business leaders
navigate through this regulatory maze. Gartner’s Data Security Governance Framework provides an approach to assess
and govern the security and privacy requirements for data gathered. Gartner suggests four steps as follows:

1. Identify and prioritize what data is impacted by data privacy and compliance requirements

2. Develop data protection impact assessments and execute these periodically in close collaboration with business
stakeholders

3. Ensure technology controls are identified to mitigate risk to an acceptable level

4. Frequently review the adequacy of the technology stack to reflect the business risk of the regulatory management
program

Value of Regulation and Compliance

While many would argue that regulatory regimes are costly and a hindrance to progress, strong data protection is a
critical enabler for the digital economy.

Customers are willing to share more data and transact digitally

once they trust the system. Regulations like GDPR, in the long run,
would boost digital business globally.

GDPR would enable businesses to do cross border digital transactions, optimize their data handling practices and
technology and build strong digital capabilities, such as adopting sophisticated techniques for customer master data
management and accelerate investment in emerging technologies like Blockchain and AI to evolve new optimal and
compliant business models while at the same time protecting the INDIVIDUAL!!!

Summary of Referenced Laws, Regulations and Standards

ANL Australia’s Notification Law which went into effect on February 22nd, 2018 stipulates that businesses
with more than $3 million in annual revenue must notify the Australian Information Commissioner if they experience a
breach.

APPI Japan’s Act on the Protection of Personal Information became effective on May 2017 requiring that
explicit consent from the data subjects be obtained.

CSF Cybersecurity Framework is a risk-based standard developed by NIST. The framework can serve as a
foundation for organizations for future cybersecurity regulations. It requires organizations to assess and treat risk
without the guidance of a compliance checklist, similar to GDPR.

CSL Cybersecurity Law (China) has been in force since June 2017 and it regulates not only enterprise data
security but online speech and behavior that poses a threat to the Chinese government.

DDL Dubai Data Law – Published in 2015, DDL is a comprehensive Law addressing data policies,
classification, compliance, and open data framework.

DPA Dutch Data Protection Act – Dutch Data Protection Act enforced on January 1, 2017, in the
Netherlands and precedes EU GDPR.

DPA Data Protection Act (UK) was enacted by the British government in 1998 and updated in 2018 and
controls how personal information issued by organizations, businesses or the government. Under DPA everyone
responsible for using data has to follow strict rules called data protection principles. They must make sure the
information is: Used fairly and lawfully; Used for limited, specifically stated purposes; Used in a way that is adequate,
relevant and not excessive; Accurate; Kept for no longer than is absolutely necessary; Handled according to people’s
data protection rights; Kept safe and secure; and Not transferred outside the European Economic Area without adequate
protection. As GDPR is not directly applicable in Post Brexit UK, DPA was amended to include GDPR compliance and
ensuring that UK businesses are made aware of penalties for non-compliance with GDPR.

DPA Data Protection Act (Spain) was enacted in 1999 and protects individuals with regards to processing or
personal data and the free movement of data. It required data controllers both public and private to register their data
with the General Data Protection Registry maintained by the Data Protection Agency. This is one example of a
jurisdiction where the compliance requirements will be reduced as the GRPR goes into effect across the EU.

EU DPD EU Data Protection Directive (Directive 95/46/EC) on the protection of individuals with regard to the
processing of personal data and on the free movement of such data was a European Union directive adopted in 1995
which has been superseded by GDPR.

FTC Act US Federal Trade Commission Act is a federal consumer protection law that prohibits unfair or
deceptive practices and has been applied to offline and online privacy and data security policies.

GLB Act US Gramm-Leach-Bliley Act regulates the collection, use, and disclosure of financial information. It
can apply broadly to financial institutions such as banks, securities firms, and insurance companies, and to other
businesses that provide financial services and products. GLB limits the disclosure of non-public personal information,
and in some cases requires financial institutions to provide notice of their privacy practices and an opportunity for data
subjects to opt-out of having their information shared.

GDPR General Data Protection Regulation – EU Regulation on Data Privacy and Protection approved by the
EU Parliament in April 2016 and came into force on May 25th, 2018.

HIPAA The US Health Insurance Portability and Accountability Act (HIPAA) regulates medical
information. It applies to health care providers, data processors, pharmacies and other entities that come into contact
with medical information. It includes standards for the Privacy of Individually Identifiable Health Information,
Protection of Electronic Protected Health Information, Electronic Transactions as well as Security Breach Notification
with regards to healthcare data.

NIST 800-171 is a special publication released by the National Institute of Standards and Technology aimed at
protecting Controlled Unclassified Information in non-federal information systems and organizations.

OTT Over The Top refers to services provided by content providers offering services like streaming media,
online gaming messaging, telephony, targeted advertisements bypassing the underlying telecom infrastructure.

PbD Privacy by Design is an internationally recognized framework where privacy should be embedded in the
design, operation, and management of technology networks and infrastructure. It requires restricting the amount of data
collected by applications and devices to the amount necessary to fulfill its purpose; encrypting data by default; de-
identifying personal data; embedding menus of privacy settings and notices in user-friendly ways, and reducing data
retention times.

PDPA Personal Data Protection Act (PDPA) of Singapore was enacted in 2012 came into force with the
formation of the Personal Data Protection Commission (PDPC) on January 2, 2013, it seeks to regulate the activities of
an organization with regard to collecting, using or disclosing personal data, and it provides individuals.

PDPO Personal Data (Privacy) Ordinance is om force in Hong Kong since 1996 and regulates the collection,
use, and handling of personal data by data users.

Privacy Shield EU-US Privacy Shield Framework was established by the EU and US Department of Commerce,
covering data protection and privacy practices to facilitate the Trans-Atlantic exchange of personal data for commercial
purposes. Entities transferring sensitive data Trans-Atlantic must self-certify under Privacy Shield. It omits many
GDPR requirements including the right to be forgotten.

Report this

Published by
Sohail Munir 1 article Follow
Advisor for Emerging Technologies and Digital Transformation at Smart
Dubai (Dubai Digital Authority) | Thought Leader in Blockchain in
Government, Digital Identity, GovTech, & GovTech | Active Research in
AIOps & DevOps
Published • 1y

Impact of #DataProtection and Privacy Regulations like #GDPR on Business

Like Comment Share 35 · 1 comment

Reactions

+23

1 Comment

Add a comment…

Sohail Munir
Advisor for Emerging Technologies and Digital Transformation at Smart Dubai (Dubai Digital Authority) | Thought Leader in Blockchain in
Government, Digital Identity, GovTech, & GovTech | Active Research in AIOps & DevOps

Follow

Messaging