This is what increasing data protection laws mean for your company

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Nalneesh Gaur, Principal, Pharmaceutical and Life Sciences Cybersecurity, Privacy & Forensics Leader, PwC US

• China brought in new data protection laws in 2022; several countries are set to do so in 2023, creating a patchwork of rules with which multinational companies must comply.
• When navigating data protection laws, companies should understand that new legislation is cropping up worldwide; some of these have geopolitical underpinnings, while protecting intellectual property is a growing concern.
• Companies’ response to strengthened data protections should encompass a broader view of whether entry into a market meets their wider strategic goals and own security.

China’s stringent 2022 data privacy regulations have many multinational organizations scrambling to comply or reorganize. But 2023 is expected to be a banner year for data protection as a number of countries are proposing or considering initiatives, including India, Brazil, Russia and possibly the United States, where individual states are creating a patchwork of rules.

The impacts – as China’s recent enforcement actions indicate – will likely extend beyond compliance, to geopolitical ramifications and protection of intellectual property (IP), among other concerns.

The regulations are emerging as companies, enabled partly by advances in artificial intelligence analytics, are finding more ways to use the data they collect: to operate more efficiently, manage their risks, enhance customer services, create and support new business models and more.

But unlocked data should be protected – something many businesses still struggle with. Half of the business leaders we surveyed around the world said they don’t feel confident in their organization’s data governance and security.

Data protection: What we’re seeing

The EU’s General Data Protection Regulation and the California Consumer Protection Act (CCPA) made waves when they appeared several years ago. (The CCPA was amended and expanded via the California Privacy Rights Act, taking effect on 1 January 2023.)

But multinational organizations now face a flood of disparate data protection and security laws from nations with competing interests. To navigate them successfully, you should begin planning now, taking into consideration several factors.

• Proliferating regulations so far include China’s Data Security Law and the Cross-Border Data Transfer (CBDT) rule under its Personal Information Protection Law (PIPL). This rule already makes sending or accessing personal data across China’s borders potentially fraught. It requires passing a cybersecurity assessment by 1 March 2023, with penalties for non-compliance. India, Brazil and Russia are considering their own data protection laws as well.
• Geopolitical agendas bubbling under the surface can complicate the picture for multinationals. Enforcement decisions may at times, appear arbitrary as data becomes more important to economic competitiveness and national security (see graph).
• IP is a growing concern, as companies worry that audits can expose sensitive information to competing eyes. Indeed, as fast-improving artificial intelligence analyzes the vast stores of data previously sitting in data lakes, this information becomes increasingly valuable to private enterprises and governments.

Why this matters for 2023

The regulatory focus on data, heightened in 2022, stands to rise to a fevered pitch this year. The Cyberspace Administration of China recently released privacy certification requirements and India’s government published a draft of its data protection bill, which will likely come to a vote in 2023.

We expect to see more from both these countries and possibly data laws from Russia, Ukraine, Brazil, Japan and others.

“

Multinational organizations should view data protection, privacy and cybersecurity rules in the larger context of nations asserting policies, diplomacy and other tools that favour their economic competitiveness.”— Nalneesh Gaur, Principal, Cybersecurity & Privacy, PwC US

Key strategic considerations

The right response to this trend goes beyond sharpening your compliance capabilities, as privacy has become about trust building.

Multinational organizations should view data protection, privacy and cybersecurity rules in the larger context of nations asserting policies, diplomacy and other tools that favour their economic competitiveness. To these nations, economic security is national security.

When confronted with a proposed data protection law, ask:

• Do we want to continue doing business in that market at our current level or at all?
• Is it a risk worth taking?
• Do we want to reorganize our portfolio, shifting some or all of our focus to other markets?
• Are we concerned that our IP may be vulnerable?
• If so, how can we protect it?

Take action now to determine which markets are most important to your organization. Learn as much as possible about pending or proposed data privacy laws in those markets and develop a plan for preparing and responding.

If your company needs to localize its data handling, consider revising your business systems architecture to add process controls and segment your systems.

Your plan should be integrated and designed not just for cyber, tech and privacy functions but for the enterprise as a whole. Data governance, ownership and privacy in today’s climate are not just CISO (chief information security officer), CIO (chief information officer) or CCO (chief commercial officer) issues but matters that can carry significant business implications.

Protecting customer and business data and company IP requires a concerted effort and often a significant investment that needs executive management, board-level deliberation and buy-in.