{"id":68973,"date":"2023-01-24T09:56:52","date_gmt":"2023-01-24T09:56:52","guid":{"rendered":"https:\/\/www.commvault.com\/?p=68973"},"modified":"2023-01-25T14:48:00","modified_gmt":"2023-01-25T14:48:00","slug":"5-essential-data-privacy-regulations","status":"publish","type":"post","link":"https:\/\/www.commvault.com\/blogs\/5-essential-data-privacy-regulations","title":{"rendered":"5 Essential Data Privacy Regulations for Businesses to Know in 2023"},"content":{"rendered":"\n
Happy 2023 Data Privacy Week!<\/strong><\/p>\n\n\n\n Just as everyone started to get more or less cozy with the regulatory landscape in data privacy\/protection and individuals and businesses learned to navigate the shallow waters of data subject requests, risk management, and impact assessments \u2013 BOOM \ud83d\udca5 – another tidal wave of regulatory requirements and new challenges rushed in!<\/p>\n\n\n\n 2023 is the perfect moment to start internalizing new acronyms (get ready for #NIS2, #DORA, #DPDPB, #CPRA, #CCPA, #CPA, #CDPA, #UCPA, #VCDPA, #ADPPA, #PrivacyPenaltyBill<\/strong>) and legislative acts they stand for.<\/p>\n\n\n\n The underlying motive of the upcoming changes is to boost and enhance the cybersecurity postures of various organizations and manage evolving cyber risks more effectively.<\/p>\n\n\n\n Here is a helicopter view of selected legal developments around the world:<\/p>\n\n\n\n According to ENISA, the general spending on cybersecurity is 41 % lower by organisations in the EU than by their US counterparts. With the arrival of NIS2, this ratio is expected to shift to cover this enormous gap at least partially. Conservative estimates are that NIS2 entry in force will translate into a ~22% increase in ICT spending over a 3\u20134-year period.<\/p>\n\n\n\n NIS2 was published just before year-end, and EU Member States now have 21 months to transpose requirements and mechanisms described into national laws. The 2016 NIS Directive – despite shortcomings – served as a cornerstone for increasing Member States’ cybersecurity capabilities. Now, NIS2 will expand the scope and the list of impacted organizations. It is expected that as many as 160 000 organizations will be subject to this new legislation, including digital services providers (platforms and data centre services), electronic communications networks and services providers, manufacturing, food, and the public sector.<\/p>\n\n\n\n <\/p>\n\n\n\n Leah Flynne<\/strong> What can you do right now?<\/p>\n\n\n\n <\/p>\n\n\n\n Anthony Calabretta<\/strong> DORA aims to achieve \u201ca high common level of digital operational resilience,\u201d mitigating cyber threats and ensuring resilient operations across the EU financial sector. It will become directly applicable from Jan 17th, 2025. It will impact the financial sector (banks, insurance companies, investment firms) and its ICT providers (i.e., cloud platforms) – roughly around 22 000 organizations.<\/p>\n\n\n\n New requirements imposed by DORA will effectively boil down to reviewing and updating risk management practices. Financial sector customers will need to transfer as many regulatory risks as possible to ICT providers or apply different risk-mitigating strategies. In any case, ICT providers will need to be able to assure adherence to DORA’s requirements. The whole industry will also need to reassess contractual relations with vendors. DORA will incorporate requirements for contracts between financial companies and their critical ICT providers, including the location where data is processed, service level agreement descriptions, reporting requirements, rights of access, and circumstances that would lead to terminating the contract.<\/p>\n\n\n\n In a separate post \u2013 Commvault\u2019s Product Team will perform a more technical deep-dive into DORA\u2019s requirements related to detection (art. 10), response and recovery (art. 11), and backup (art. 12).<\/p>\n\n\n\n <\/p>\n\n\n\n Meg Cavanaugh<\/strong> As of January 1st, 2023, California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act 2018 went into effect. Many temporary exemptions in place expire, imposing additional obligations on companies dealing with California residents\u2019 personal information, e.g., regarding employment-related personal data, opt-out from selling personal information.<\/p>\n\n\n\n 2023 is also the year when the Colorado Privacy Act (CPA), The Connecticut Data Privacy Act (CDPA), The Utah Consumer Privacy Act (UCPA), and The Virginia Consumer Data Privacy Act (VCDPA) will become effective. Legislative fragmentation risk is imminent and substantial, and this is the kind of risk that caused the European Union to harmonize the regulatory approach. Let us see whether the same will be true in 2023 in the case of the American Data Privacy and Protection Act (‘ADPPA’) \u2013 a proposal for a federal and general data privacy law.<\/p>\n\n\n\n Indian legislators plan to introduce a very ambitious Digital Personal Data Protection Bill (DPDPB<\/strong>) this year. When enacted, long-awaited legislation will undoubtedly impact all kinds of organizations due to India\u2019s role as a tech powerhouse and a global outsourcing hub.<\/p>\n\n\n\n Australian authorities announced yet another complete overhaul of the Privacy Act dated 1988. The current legislation was summarized as \u201cout of date and not fit for purpose in the digital age.\u201d<\/p>\n\n\n\n In the meantime, still in 2022, Australia passed the Privacy Penalty Bill that increased privacy-related sanctions to levels comparable with trends introduced by GDPR (up to 50m AUD) and expanded regulatory powers of the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA).<\/p>\n\n\n\n The relentless compliance clock just started ticking again. Cross-functional teams consisting of IT, compliance, privacy, legal professionals, and business analysts will spend considerable amounts of time analysing the impact of the cloudburst of legislative developments that emerged at the end of last year and will materialize throughout 2023.<\/p>\n\n\n\n Be aware that the legislative developments presented here could be more comprehensive. You can be sure, however, that they will become standard talking points not only in 2023 but also for the years to come.<\/p>\n","protected":false},"excerpt":{"rendered":" Learn more about Data Security today and make sure to check out the 5 Essential Data Privacy Regulations for Businesses to know in 2023.<\/p>\n","protected":false},"author":85,"featured_media":68979,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_custom_css":"","_custom_js_footer":"","_page_background_color":"","_remove_from_search":false,"_dark_mode":false,"_light_footer_mode":false,"_sidebar_form":{"id":"","name":"","cta":"","redirect":""},"_alert_notification_bar":{"show":true,"bg_color":"","content":"","call_to_action_label":"","call_to_action_link":""},"_footer_cta":{"show":false,"title":"","subtitle":"","cta_text":"","cta_link":"","background":{"id":0,"url":""}},"_cmv_customer_logo":{"id":0,"url":""},"_jetpack_memberships_contains_paid_content":false,"i18n_hreflangs":"","footnotes":""},"categories":[226],"tags":[],"cmv_author":[1088],"class_list":{"0":"post-68973","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-data-privacy-2","8":"cmv_author-jakub-lewandowski","9":"entry"},"yoast_head":"\nNIS2<\/strong><\/h3>\n\n\n\n
\u201cLike the SEC\u2019s incoming Cybersecurity Disclosure requirements<\/a> and Caremark decisions<\/a> from the last few years, the NIS2 Directive emphasizes senior management\u2019s role in providing oversight of a company\u2019s cybersecurity program. The NIS2 Directive ups the ante of its predecessor, the NIS1 Directive, by holding senior management directly responsible for implementing the Directive\u2019s requirements, where failure to do so can hold personal liability for the parties involved. While the pressure may seem to shift from the CISO to senior management more broadly, it continues to be critical for CISOs, like Commvault’s very own Javier Dominguez, to have a seat at the table with Directors and Officers. CISOs must be empowered to create and successfully execute robust cybersecurity risk management strategies through proper resourcing and support.\u201d<\/em><\/h2>\n\n\n\n
\n\n\n\n
Director Compliance @ Commvault<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n\n\n\n
NIS2 aims to strengthen cybersecurity postures by, amongst other: improving cybersecurity governance, addressing the security of supply chains, streamlining reporting obligations (early warnings\/shortened notification periods), and introducing more stringent supervisory measures and stricter enforcement requirements.<\/p>\n\n\n\n\u201cCommvault team is closely monitoring the progress of the implementation of the requirements. With today\u2019s guidance, the Commvault team is actively reviewing the contents of NIS2 and assessing how we are best aligned with them by preparing appropriate responses, both internal and external, through maturing the existing NIST governance framework (internationally recognized) set of controls and applying it to our Data Governance and Cybersecurity positions currently.\u201d<\/em><\/h2>\n\n\n\n
\n\n\n\n
Manager IT Compliance @ Commvault<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n\n\n\n
DORA<\/strong><\/h3>\n\n\n\n\u201cGood news is that Commvault is already compliant with DORA. We believe we have best-in-class privacy practices. The Legal team will soon publish financial sector-specific T&Cs, which will foster trust and add velocity to closing deals \u2013 our financial sector customers will know we care about what they care about. It will be interesting and telling to see how the cloud provider giants, Microsoft, Google, and AWS, respond to DORA\u2019s requirements for onsite audits \u201cand participation in the customer\u2019s data security programs.\u201d<\/em><\/h2>\n\n\n\n
\n\n\n\n
Associate General Counsel @ Commvault<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n\n\n\n
US data privacy laws – CPRA\/CCPA, CPA, CDPA, UCPA, VCDPA, ADPPA<\/h3>\n\n\n\nIndia – DPDPB<\/strong><\/h3>\n\n\n\n
Australia – Privacy Penalty Bill & overhaul of the Privacy Act<\/strong><\/h3>\n\n\n\n
Summary<\/strong><\/h3>\n\n\n\n