This is what increasing data protection laws mean for your company

China's stringent 2022 data privacy regulations have many multinational organizations scrambling to comply or reorganize. But 2023 is expected to be a banner year for data protection as a number of countries are proposing or considering initiatives, including India, Brazil, Russia and possibly the United States, where individual states are creating a patchwork of rules.

The impacts – as China's recent enforcement actions indicate – will likely extend beyond compliance, to geopolitical ramifications and protection of intellectual property (IP), among other concerns.

The regulations are emerging as companies, enabled partly by advances in artificial intelligence analytics, are finding more ways to use the data they collect: to operate more efficiently, manage their risks, enhance customer services, create and support new business models and more.

But unlocked data should be protected – something many businesses still struggle with. Half of the business leaders we surveyed around the world said they don't feel confident in their organization's data governance and security.

The EU's General Data Protection Regulation and the California Consumer Protection Act (CCPA) made waves when they appeared several years ago. (The CCPA was amended and expanded via the California Privacy Rights Act, taking effect on 1 January 2023.)

But multinational organizations now face a flood of disparate data protection and security laws from nations with competing interests. To navigate them successfully, you should begin planning now, taking into consideration several factors.

The regulatory focus on data, heightened in 2022, stands to rise to a fevered pitch this year. The Cyberspace Administration of China recently released privacy certification requirements and India's government published a draft of its data protection bill, which will likely come to a vote in 2023.

We expect to see more from both these countries and possibly data laws from Russia, Ukraine, Brazil, Japan and others.

The right response to this trend goes beyond sharpening your compliance capabilities, as privacy has become about trust building.

Multinational organizations should view data protection, privacy and cybersecurity rules in the larger context of nations asserting policies, diplomacy and other tools that favour their economic competitiveness. To these nations, economic security is national security.

When confronted with a proposed data protection law, ask:

Take action now to determine which markets are most important to your organization. Learn as much as possible about pending or proposed data privacy laws in those markets and develop a plan for preparing and responding.

If your company needs to localize its data handling, consider revising your business systems architecture to add process controls and segment your systems.

Your plan should be integrated and designed not just for cyber, tech and privacy functions but for the enterprise as a whole. Data governance, ownership and privacy in today's climate are not just CISO (chief information security officer), CIO (chief information officer) or CCO (chief commercial officer) issues but matters that can carry significant business implications.

Protecting customer and business data and company IP requires a concerted effort and often a significant investment that needs executive management, board-level deliberation and buy-in.