By David Pinto, Business Development Director, Solidatus

It may have slipped by without much mention given the obvious focus of the pandemic throughout the last six months, but two major new data regulations have recently, and quietly, come into force.

Both California and Brazil have brought in new GDPR-like legislation, which increases the regulatory burden for international businesses that need to keep a tight grip on their international data compliance. Or does it?

There was a time not too long ago when global financial organisations would have appointed consultants to ensure their business-wide compliance on issues such as this, usually at great cost, and with a lengthy time commitment.

Many such organisations have been through a comparable process of compliance very recently, with the introduction of GDPR just two years ago. A PWC report around its introduction suggested that over three-quarters (77%) of businesses were projecting to spend over $1m on their compliance, and nearly one in ten businesses (9%) were planning on spending over $10m.^[1] You can imagine the concern at the thought of spending that time and time again for the rollout of other legislation like CCPA or the LGPD. And yet, with potential fines so high, many may have considered those costs acceptable given the alternatives.

This ‘repeat process’ mindset ignores a glaring truth – that a business might already be completely GDPR compliant, but there will inevitably be certain specific areas of data management and regulation they still need to enhance to also be in line with CCPA, LGPD, or any other future data protection legislation which may come their way. LGPD enforcement starts from summer 2021^[2], while letters on noncompliance for CCPA have already been sent^[3]. This is a question which businesses need to answer, and quickly.

To solve this issue, the business needs to examine its existing levels of confidence when it comes to interpreting regulations into privacy requirements. This in turn is reliant on how successfully metadata is being tracked across the organisation. Only once a solid process is in place can the business then map the latest regulations against the new entrants and identify gaps in compliance. If this has already been done for GDPR, the good news is that costs should be significantly reduced for future privacy regulations.

However, there are of course additional complexities which should be recognised with the new regulations, such as specific obligations between countries. In the same way that GDPR covers data held and processed about EU individuals anywhere in the world, LGPD applies to data held on Brazilian individuals, irrespective of where in the world information is processed. That means EU entities now need to know where Brazilian individuals’ data is being used. And a US entity will need to know about both – where information is held and where the subjects are located. Regulations are building a web of dependencies on knowing where people are from, where processing is taking place, and for what reason. This all requires a thorough understanding of data embedded throughout the organisation, and a solid method of keeping track of all privacy-related metadata.

The CCPA takes this complexity down yet another layer – from a national specificity down to a particular State’s residents and businesses operating in that region. It also sets down a different criterion for being able to use that data – whereas GDPR rests on prior consent, CCPA brings in a right to opt-out, which makes it much more critical that businesses have the latest information at their fingertips since this permission could be withdrawn at any point and lead to organisation-wide compliance gaps.

This is where effective and adaptable metadata management comes in. By way of example, a significant benefit of our own flexible underlying model is that it promotes modelling of all relationships, including those which might be outside traditional data management and governance, such as regulations and policies. Putting all this together with systems, processes and data flows shows the impact of data privacy regulations in context and allows for insights that are only possible when all the information is available.

This isn’t just a matter of dealing with regulations which are already in place but staying responsive to new changes which may impact international business. Argentina and New Zealand are among the countries looking to update their own data privacy regulations, while Thailand, South Africa and others are taking their lead from GDPR-like legislation. Forward-thinking businesses may also want to consider the implications of further changes to GDPR standards for the UK, post-Brexit. Investing the time now in flexible metadata management pays out greater dividends each time in money saved instead of running company-wide assessments time after time which may be going over the same compliance ground instead of identifying outlying areas.

Globally, the onward march of updated data regulations is set to continue, and issues of business adherence go much further than potential fines for breaches or the price of compliance. Some 71% of people said they would stop doing business with a company which gave away sensitive data without permission, according to McKinsey^[4]. Customers are also highly critical of companies’ ability to use data ethically: only 54% of people said they trusted businesses to do so, while 97% of consumers agree that data privacy is important, according to a KPMG study^[5]. The pressure on businesses to be able to easily track their own internal data flows and processes is growing on a number of fronts, and it would be a brave company indeed which would put its operations at risk by simply ignoring this fact.