A new year is upon us, and with it will come major changes in how organizations handle personal data. Of course, this is not the first time we’ve seen significant changes:
- 2018 brought enormous changes to Europe as the General Data Protection Regulation (GDPR) became effective;
- 2020 brought major changes to the U.S. as the California Consumer Privacy Act became effective; and
- 2021 ushered in massive change in China with the introduction of the Personal Information Privacy Law and the Cyber Security Law.
This year will also be a year of change, as multiple jurisdictions implement new laws governing personal data, automation, and digital commerce. In the U.S., Canada, and Europe, strict new laws will significantly increase the level of existing regulation, and many people will gain new legal rights that they have never before had.
Rather than list all of the many new personal data protection laws coming into effect in 2023, I would like to offer some high-level thoughts about personal data risk in 2023 that organizations should consider:
- Overall, privacy risk is trending strongly upwards, as a result of more complex and strict privacy laws. Accordingly, past experience is a poor indicator of future results. The likelihood and severity of a privacy violation cannot be predicted using historical data alone. Therefore, many common risk quantification models will be insufficient to predict privacy risk.
- It is becoming more difficult to assess risk globally. Fines and settlements are based on a variety of factors that differ from jurisdiction to jurisdiction. An activity can be lower risk in one jurisdiction and higher risk in another. Global organizations need to understand the risk environment in every country in which they operate. In the past, it may have been acceptable to simply apply GDPR as a global standard, but it is probably not wise to take such a simplified approach in the future.
- Many jurisdictions utilize an enforcement model focused on…
EU court lowers requirements for imposing fines for data protection breaches
The European Court of Justice issued a landmark ruling on Tuesday (5 December) that is set…