This is what increasing data protection laws mean for your company
Your company's response to new data protection rules should look at the enterprise as a whole. Image: Unsplash/Towfiqu Barbhuiya
Nalneesh Gaur
Principal, Pharmaceutical and Life Sciences Cybersecurity, Privacy & Forensics Leader, PwC USListen to the article
- China brought in new data protection laws in 2022; several countries are set to do so in 2023, creating a patchwork of rules with which multinational companies must comply.
- When navigating data protection laws, companies should understand that new legislation is cropping up worldwide; some of these have geopolitical underpinnings, while protecting intellectual property is a growing concern.
- Companies' response to strengthened data protections should encompass a broader view of whether entry into a market meets their wider strategic goals and own security.
China's stringent 2022 data privacy regulations have many multinational organizations scrambling to comply or reorganize. But 2023 is expected to be a banner year for data protection as a number of countries are proposing or considering initiatives, including India, Brazil, Russia and possibly the United States, where individual states are creating a patchwork of rules.
The impacts – as China's recent enforcement actions indicate – will likely extend beyond compliance, to geopolitical ramifications and protection of intellectual property (IP), among other concerns.
The regulations are emerging as companies, enabled partly by advances in artificial intelligence analytics, are finding more ways to use the data they collect: to operate more efficiently, manage their risks, enhance customer services, create and support new business models and more.
But unlocked data should be protected – something many businesses still struggle with. Half of the business leaders we surveyed around the world said they don't feel confident in their organization's data governance and security.
Data protection: What we're seeing
The EU's General Data Protection Regulation and the California Consumer Protection Act (CCPA) made waves when they appeared several years ago. (The CCPA was amended and expanded via the California Privacy Rights Act, taking effect on 1 January 2023.)
But multinational organizations now face a flood of disparate data protection and security laws from nations with competing interests. To navigate them successfully, you should begin planning now, taking into consideration several factors.
- Proliferating regulations so far include China's Data Security Law and the Cross-Border Data Transfer (CBDT) rule under its Personal Information Protection Law (PIPL). This rule already makes sending or accessing personal data across China's borders potentially fraught. It requires passing a cybersecurity assessment by 1 March 2023, with penalties for non-compliance. India, Brazil and Russia are considering their own data protection laws as well.
- Geopolitical agendas bubbling under the surface can complicate the picture for multinationals. Enforcement decisions may at times, appear arbitrary as data becomes more important to economic competitiveness and national security (see graph).
- IP is a growing concern, as companies worry that audits can expose sensitive information to competing eyes. Indeed, as fast-improving artificial intelligence analyzes the vast stores of data previously sitting in data lakes, this information becomes increasingly valuable to private enterprises and governments.
Why this matters for 2023
The regulatory focus on data, heightened in 2022, stands to rise to a fevered pitch this year. The Cyberspace Administration of China recently released privacy certification requirements and India's government published a draft of its data protection bill, which will likely come to a vote in 2023.
We expect to see more from both these countries and possibly data laws from Russia, Ukraine, Brazil, Japan and others.
Multinational organizations should view data protection, privacy and cybersecurity rules in the larger context of nations asserting policies, diplomacy and other tools that favour their economic competitiveness.
”Key strategic considerations
The right response to this trend goes beyond sharpening your compliance capabilities, as privacy has become about trust building.
Multinational organizations should view data protection, privacy and cybersecurity rules in the larger context of nations asserting policies, diplomacy and other tools that favour their economic competitiveness. To these nations, economic security is national security.
When confronted with a proposed data protection law, ask:
- Do we want to continue doing business in that market at our current level or at all?
- Is it a risk worth taking?
- Do we want to reorganize our portfolio, shifting some or all of our focus to other markets?
- Are we concerned that our IP may be vulnerable?
- If so, how can we protect it?
Take action now to determine which markets are most important to your organization. Learn as much as possible about pending or proposed data privacy laws in those markets and develop a plan for preparing and responding.
If your company needs to localize its data handling, consider revising your business systems architecture to add process controls and segment your systems.
Your plan should be integrated and designed not just for cyber, tech and privacy functions but for the enterprise as a whole. Data governance, ownership and privacy in today's climate are not just CISO (chief information security officer), CIO (chief information officer) or CCO (chief commercial officer) issues but matters that can carry significant business implications.
Protecting customer and business data and company IP requires a concerted effort and often a significant investment that needs executive management, board-level deliberation and buy-in.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Forum Stories newsletter
Bringing you weekly curated insights and analysis on the global issues that matter.
More on BusinessSee all
David Elliott
December 19, 2024