Business

This is what increasing data protection laws mean for your company

Your company's response to new data protection rules should look at the enterprise as a whole.

Your company's response to new data protection rules should look at the enterprise as a whole. Image: Unsplash/Towfiqu Barbhuiya

Nalneesh Gaur
Principal, Pharmaceutical and Life Sciences Cybersecurity, Privacy & Forensics Leader, PwC US
This article is part of: Centre for Cybersecurity

Listen to the article

  • China brought in new data protection laws in 2022; several countries are set to do so in 2023, creating a patchwork of rules with which multinational companies must comply.
  • When navigating data protection laws, companies should understand that new legislation is cropping up worldwide; some of these have geopolitical underpinnings, while protecting intellectual property is a growing concern.
  • Companies' response to strengthened data protections should encompass a broader view of whether entry into a market meets their wider strategic goals and own security.

China's stringent 2022 data privacy regulations have many multinational organizations scrambling to comply or reorganize. But 2023 is expected to be a banner year for data protection as a number of countries are proposing or considering initiatives, including India, Brazil, Russia and possibly the United States, where individual states are creating a patchwork of rules.

The impacts – as China's recent enforcement actions indicate – will likely extend beyond compliance, to geopolitical ramifications and protection of intellectual property (IP), among other concerns.

The regulations are emerging as companies, enabled partly by advances in artificial intelligence analytics, are finding more ways to use the data they collect: to operate more efficiently, manage their risks, enhance customer services, create and support new business models and more.

But unlocked data should be protected – something many businesses still struggle with. Half of the business leaders we surveyed around the world said they don't feel confident in their organization's data governance and security.

Have you read?

Data protection: What we're seeing

The EU's General Data Protection Regulation and the California Consumer Protection Act (CCPA) made waves when they appeared several years ago. (The CCPA was amended and expanded via the California Privacy Rights Act, taking effect on 1 January 2023.)

But multinational organizations now face a flood of disparate data protection and security laws from nations with competing interests. To navigate them successfully, you should begin planning now, taking into consideration several factors.

  • Proliferating regulations so far include China's Data Security Law and the Cross-Border Data Transfer (CBDT) rule under its Personal Information Protection Law (PIPL). This rule already makes sending or accessing personal data across China's borders potentially fraught. It requires passing a cybersecurity assessment by 1 March 2023, with penalties for non-compliance. India, Brazil and Russia are considering their own data protection laws as well.
  • Geopolitical agendas bubbling under the surface can complicate the picture for multinationals. Enforcement decisions may at times, appear arbitrary as data becomes more important to economic competitiveness and national security (see graph).
  • IP is a growing concern, as companies worry that audits can expose sensitive information to competing eyes. Indeed, as fast-improving artificial intelligence analyzes the vast stores of data previously sitting in data lakes, this information becomes increasingly valuable to private enterprises and governments.
How companies are responding to data protection and risk of exposure to geopolitical conflict.
How companies are responding to data protection and risk of exposure to geopolitical conflict. Image: PwC

Why this matters for 2023

The regulatory focus on data, heightened in 2022, stands to rise to a fevered pitch this year. The Cyberspace Administration of China recently released privacy certification requirements and India's government published a draft of its data protection bill, which will likely come to a vote in 2023.

We expect to see more from both these countries and possibly data laws from Russia, Ukraine, Brazil, Japan and others.

Multinational organizations should view data protection, privacy and cybersecurity rules in the larger context of nations asserting policies, diplomacy and other tools that favour their economic competitiveness.

Nalneesh Gaur, Principal, Cybersecurity & Privacy, PwC US

Key strategic considerations

The right response to this trend goes beyond sharpening your compliance capabilities, as privacy has become about trust building.

Multinational organizations should view data protection, privacy and cybersecurity rules in the larger context of nations asserting policies, diplomacy and other tools that favour their economic competitiveness. To these nations, economic security is national security.

When confronted with a proposed data protection law, ask:

  • Do we want to continue doing business in that market at our current level or at all?
  • Is it a risk worth taking?
  • Do we want to reorganize our portfolio, shifting some or all of our focus to other markets?
  • Are we concerned that our IP may be vulnerable?
  • If so, how can we protect it?

Take action now to determine which markets are most important to your organization. Learn as much as possible about pending or proposed data privacy laws in those markets and develop a plan for preparing and responding.

If your company needs to localize its data handling, consider revising your business systems architecture to add process controls and segment your systems.

Your plan should be integrated and designed not just for cyber, tech and privacy functions but for the enterprise as a whole. Data governance, ownership and privacy in today's climate are not just CISO (chief information security officer), CIO (chief information officer) or CCO (chief commercial officer) issues but matters that can carry significant business implications.

Protecting customer and business data and company IP requires a concerted effort and often a significant investment that needs executive management, board-level deliberation and buy-in.

Loading...
Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Share:
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Extended producer responsibility and a global plastics treaty – what do the experts say?

Jeet Kar, Madeleine Sophia Brandes and Audrey Helstroffer

November 18, 2024

The mindset change businesses need for a climate-resilient future

About us

Engage with us

  • Sign in
  • Partner with us
  • Become a member
  • Sign up for our press releases
  • Subscribe to our newsletters
  • Contact us

Quick links

Language editions

Privacy Policy & Terms of Service

Sitemap

© 2024 World Economic Forum