Legislative changes

Digital legislation developments are shaking up the tech sector. Data privacy and environmental demands are gaining ground across the globe. CIOs, CTOs and executives must stay informed about essential legislative changes like data storage regulations, sustainability initiatives, and cybersecurity laws.

The position of CIOs and CTOs has evolved tremendously. Their roles have grown to include strategic planning and alignment with broader organization objectives, and they have turned into essential organizational decision-makers. At the same time, they must cope with an ever-expanding set of regulatory frameworks to protect sensitive data and ensure legal compliance.

The developments in the tech sector have heightened legislative interest. It became clear that digital regulations needed to be reviewed and updated.

Data storage regulations

The landscape of data storage regulations, including data privacy laws, is constantly evolving. Therefore, in this blog we will discuss the most important (in our view) privacy laws and regulations, to take into account and what they entail, followed by some industry-specific regulation. We will provide you with key information professionals need to secure and manage data effectively. Stay informed through our blog and ensure data practices align with the current regulations.

Privacy regulations

Many countries have established privacy laws and regulations. An example is The General Data Protection Regulation (GDPR), that has been enacted by the European Union [1]. It has set the standard and shaped the trends in this field, which resulted globally in stricter regulations, bigger fines, and more potential reputational damage.

The GDPR applies to all organizations that process the personal data of EU citizens, regardless of where the organization is located. Personal data refers to any information that directly or indirectly identifies someone.

In the US, the states California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia have implemented state-level data privacy laws. They deal with personal information that identifies, relates to, describes, or links with a consumer or household [2]. There are some variances, such as differences in the criteria that specify which firms and non-profits are covered by a regulation, differences in mandatory data protection assessments, and data minimization requirements. Some laws adopt the “controller” and “processor” approach used in the GDPR.

The state-level privacy laws allow organizations to process data by default, if they provide a clear option for consumers to opt-out of having their personal information sold or shared. The GDPR, on the other hand, defines six legal grounds for data processing. Organizations can only process data when at least one of these grounds applies.

Another example is the Data Protection Framework (DPF) is a so-called “adequacy decision” that allows for transferring personal data between the EU and the US. Data transfers to US entities that are not included in the Data Privacy Framework List are outside the scope of the adequacy decision and require other transfer mechanisms under the GDPR, such as standard contractual clauses or binding corporate rules.

Data privacy laws not only apply in the EU and the US, but also in many other countries, like Australia, Brazil, Canada, Japan, New Zealand, Singapore, South Africa, South Korea, the Philippines, the UK, and others.

Most privacy protection regulations adopt general principles regarding transparency, consent, data minimization, use limitation, and retention and deletion of personal data. Cross-border data transfers -transferring personal data between different legal territories or data transfers to international organizations- are often prohibited unless specific requirements are satisfied.

CTOs and CIOs must understand the principles of data minimization and privacy by design. To comply with privacy laws in general, organizations should perform data protection impact assessments, implement cybersecurity safeguards, and be transparent about the data they collect. They should also create and communicate a process for individuals to submit requests regarding their personal data.

Non-compliance with data privacy laws can have serious ramifications. For example, the CCPA penalties have an upper cap of $7,500 per intentional violation or $2,500 per non-intentional violation. The penalties can quickly add up because one consumer equals one violation. GDPR fines are capped at €20 million or 4% of annual revenue, whichever is higher.

Industry-specific compliance requirements

Industry-specific compliance requirements are regulations aimed at making sure that organizations in specific industries adhere to certain standards and practices.

For example, The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that governs the use and disclosure in the US of protected health information (PHI), information about the present or future physical or mental health or condition of an individual [3]. All healthcare providers, health plans, and healthcare clearinghouses that communicate health information electronically are subject to HIPAA.

The HIPAA establishes limitations of use and disclosure of data to the minimum necessary, notification of privacy practice, and adoption of administrative practices to safeguard the security of sensitive information. The HIPAA is enforced by the Department of Health and Human Safety’s Office of Civil Rights (OCR), which may issue fines for HIPAA violations.

Another example is The Payment Card Industry Data Security Standard (PCI DSS). This is a set of security standards designed to ensure that companies that accept credit card payments maintain a secure environment [4]. Compliance is necessary for any organization that plays any role in a transaction, including processing, storing, or transferring payment information. The PCI DSS is enforced by in the payment industry, including Mastercard and Visa.

Other examples of industry-specific regulations are the Gramm Leach Bliley Act (GLBA), which governs personal information collected by banks and financial institutions, and the Fair Credit Reporting Act (FCRA), which regulates the collection and use of credit information.

Compliant data storage practices

Compliance requirements vary depending on the industry and the country in which an organization operates. Non-compliance can have significant consequences.

CIOs and CTOs must ensure that their data storage practices align with the legal requirements. First, they should stay informed about the latest data privacy and industry-specific regulations and the compliancy requirements thereof. Second, they should develop a comprehensive data privacy policy. Third, they should implement strong data security measures.

The data privacy policy should explain why, how, and what data is collected, processed, stored, and shared, as well as how individuals can make requests regarding their personal data. It should also specify how the data is safeguarded against unauthorized access or disclosure [5].

To avoid data corruption or loss and to safeguard the data from unauthorized access, use, or disclosure, strong data security measures such as effective backup and recovery procedures, encryption, and access controls are essential. In addition to security measures, data retention and disposal policies should be in place.

In certain circumstances, data privacy legislation may mandate timely breach notifications. CIOs and CTOs should review the requirements and establish a procedure to achieve them. Frequent assessments and audits should be carried out, to confirm that data storage practices are effectively protecting the data and comply with applicable laws and regulations.

Sustainability initiatives

The urgent need to solve environmental concerns is widely acknowledged around the world. The triple planetary crisis -climate change, loss of biodiversity, and pollution is a major issue [6]. As a result, the tech sector is under growing pressure to contribute to sustainable solutions.

The environmental, social, and governance (ESG) regulatory landscape is changing because of the increasing focus on the planetary crisis and the pledges to achieve net zero emissions.

For instance, in the European Union both the Energy Efficiency Directive (EED) and the Corporate Sustainability Reporting Directive (CSRD) focus on sustainability. The EED expands the scope of energy audit obligations to include all those companies, regardless of size, that consume energy above a certain threshold. The CSRD requires large companies and listed SMEs to report on sustainability in a format conform the European Sustainability Reporting Standards (ESRS), including information related to environmental matters [7].

Another one is The European Ecodesign for Sustainable Products Regulation (ESPR) [8] is being developed and will probably be finalized in 2024. The ESPR is the cornerstone of the approach to more environmentally sustainable and circular products. It will focus on elements like product durability, reusability, upgradability and reparability, energy and resource efficiency, and carbon and environmental footprints.

To achieve carbon neutrality by 2030, data centers in the EU must increase energy efficiency, reuse waste energy and use more renewable energy sources. To meet this goal, the EU will rely on a mix of existing instruments, reviews of existing legislation and new initiatives.

The EU has also implemented the Sustainable Finance Disclosure Regulation (SFDR). This transparency framework regulates how financial market participants must disclose sustainability information.

In the US on the other hand, the Securities and Exchange Commission (SEC) proposed sustainable disclosure standards [9], which are comparable to the EU SFDR.

Thus, countries around the world have adopted some form of ESG regulation. Japan, for example, has embraced the concept of ESG through soft-law rules. The Stewardship Code (SS Code) emphasizes investors’ responsibility to enhance long-term investments by considering sustainability, including ESG factors. The Japanese Financial Services Agency (FSA) has introduced mandatory ESG disclosures. In Canada, from 2024 onward, eligible banks, insurance companies, and federally regulated financial institutions will need to provide ESG disclosures on their climate-related risks [10].

The changing legislative trend sends a clear message that the world is decarbonizing. The tech sector must address sustainability due to governmental pressure, market demand and ethical reasons, and embed ESG concepts in their operations. The UN roadmap for integrated sustainability provides guidance for CIOs and CTOs on how to integrate sustainability-related goals and strategies across the organization [11].

Evolving cybersecurity laws

The cybersecurity legislation landscape is evolving because of the expanding digital economy and in response to escalating cybercrime. These regulations, in general, aim to protect critical infrastructure, ensure national security, provide a safe digital environment, safeguard data privacy, and promote trust in digital transactions.

The NIS2 Directive provides legal measures to boost the overall level of cybersecurity in the EU [12]. The NIS2 obliges more entities and sectors to take cybersecurity measures than the preceding mandate. Organizations falling under this directive are faced with stricter risk management and reporting requirements in the case of a cybersecurity incident and must implement essential security measures [13].

On the other hand, the Cyber Resilience Act (CRA) aims to protect consumers and businesses in the European Union from cyber incidents, making it the first Internet of Things (IoT) legislation in the world [14]. The act applies to hardware manufacturers, software developers, distributors and importers. The CRA is currently in the legislative process within the European Union. The establishment date will depend on this process.

In the US, the Cyber Incident Reporting Act legally mandates operators of critical infrastructure to notify the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of any data breach and a ransomware payment within 24 [15].

Other countries have also implemented cyber security legislation. India for instance, has enacted the Information Technology Act [16]. Indian businesses and organizations must have reasonable security practices and procedures to protect sensitive information from being compromised, damaged, exposed, or misused. Cybersecurity incidents must be reported within six hours [17].

CIOs and CTOs should be aware of mandatory timely breach notifications. When operating in the EU, they should also determine whether the NIS2 applies to their organization, track upcoming cybersecurity risk management and incident response regulations and be aware of future reporting requirements [18].

Cybersecurity frameworks

Cybersecurity frameworks provide a method to protect digital systems and sensitive data through systematic risk mitigation. Government agencies, government contractors, and subcontractors in the US must adhere to the NIST (National Institute of Standards and Technology) framework. Outside of the US, government agencies, organizations that are part of critical infrastructure, such as food, water, health care, energy and transport, may be required to comply with the ISO 27001 cybersecurity framework.

Even if compliance is not required, CTOs and CIOs should consider implementing a cybersecurity framework. Organizations are dependent on their digital information systems and must protect sensitive data, such as personal and financial information. Because of the on-going rise of cybercrime, data security is more crucial than ever.

The NIST quick start guide [19] provides guidance to improve cybersecurity risk management. This guide can be of interest for CIOs and CTOs, regardless of the framework they are considering, to get a taste of the steps to begin or improve their cybersecurity program.

Emerging technologies and legal challenges

Emerging technologies leave their mark on legal frameworks. For example, artificial intelligence (AI) is growing at a rapid pace, which presents ethical, social, and legal challenges. Concerns about bias and discrimination, privacy and monitoring, environmental impact, and potential violations of human rights are among them. To address these concerns, the UN published the global standard on AI ethics, titled “Recommendation on the Ethics of Artificial Intelligence” [20].

The EU AI Act is the world’s first initiative for regulating AI and applies to providers, deployers, importers, distributors, and product manufacturers [21]. Some other initiatives are the AI bill which is proposed in Brazil, the anticipated AI and Data Act in Canada, and a voluntary framework for ethical AI deployment in Singapore.

Furthermore, The Internet of Things (IoT) deployment may also be subject to laws and regulations, like the EU CRA, the EU NIS2 directive, and the US IoT Cybersecurity Improvement Act. The privacy aspects of IoT are covered by privacy laws and regulations.

Regulatory uncertainties, ethical considerations, and responsible technology adoption are among the challenges that CIOs and CTOs confront when embracing emerging technologies [22]. Thus they should develop a risk-adjusted strategy and discover how best to leverage new technologies. CIOs and CTOs may form oversight committees or consult experts to establish guidelines for responsible use.

Global considerations

Robust technical infrastructures based on scalable and reliable data centers facilitated the transition to global operations and the establishment of a global economy. Because of this global nature of technical operations, firms must comply with a growing assortment of regulations governing data privacy, protection, and localization.

CIOs and CTOs must understand the increased level of compliance risk and be up to date on the specifics of each regulatory jurisdiction in which they operate. Data privacy laws limit cross border data transfers and legal data localization requirements may necessitate the creation of distinct infrastructures and computing capabilities, and the hiring of local IT personnel.

CIOs and CTOs should review local legal requirements, determine whether local business prospects justify investment in local IT infrastructure and operations, and identify appropriate security and privacy measures [23].

Conclusion

The roles of CIOs and CTOs have evolved tremendously. They are growing into business leaders and strategists. They must stay informed about essential legislative changes, work with legal experts, and ensure compliance with an expanding set of regulatory frameworks.

CIOs and CTOs must ensure that their data storage practices align with the latest data privacy and industry-specific regulations. Also, they should implement sustainable solutions and embed environmental, social, and governance (ESG) concepts.

Because of the importance of information systems, the escalation of cybercrime and the need to protect sensitive data, CTOs and CIOs should consider implementing a cybersecurity framework, even if compliance is not required. They should develop a risk-adjusted strategy and discover how best to leverage emerging technologies. When operating globally, they must understand the increased level of compliance risk and be up to date on the specifics of each regulatory jurisdiction in which they operate.

Due to the ever-changing nature of legislation in the tech sector, compliance isn’t a one-time checkmark, but rather demands ongoing effort and regular evaluation.

We invite you to share your thoughts in the comments section below. Whether you have additional ideas, concerns, or insights into legislative changes impacting the tech sector, your input is valuable. Feel free to express your views, provide suggestions, or discuss any other laws or regulations you believe should be highlighted. Additionally, don’t hesitate to reach out to us directly if you have specific questions or want to explore further topics related to data storage regulations, sustainability initiatives, cybersecurity laws, or any emerging tech-related legal challenges.

[1]: https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en

[2]: https://www.okta.com/blog/2021/04/ccpa-vs-gdpr/

[3]: https://aspe.hhs.gov/reports/health-insurance-portability-accountability-act-1996

[4]: https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf

[5]: https://www.enterprisestorageforum.com/management/7-essential-compliance-regulations-for-data-storage-systems/

[6]: https://unfccc.int/news/what-is-the-triple-planetary-crisis

[7]: https://finance.ec.europa.eu/capital-markets-union-and-financial-markets/company-reporting-and-auditing/company-reporting/corporate-sustainability-reporting_en

[8]: https://commission.europa.eu/energy-climate-change-environment/standards-tools-and-labels/products-labelling-rules-and-requirements/sustainable-products/ecodesign-sustainable-products-regulation_en

[9]: https://www.sec.gov/news/press-release/2022-46

[10]: https://www.brightest.io/canada-esg-reporting

[11]: https://unglobalcompact.org/take-action/leadership/integrate-sustainability/roadmap

[12]: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive