What Are the Key Market Trends Affecting Customer Data Privacy?

The Regulatory Landscape Continues to Evolve

A constant flow of new and amended data protection and privacy laws and regulations are being introduced globally, much akin to the EU General Data Protection Regulation (GDPR). In the EU, both the rights to privacy and data protection are enshrined in the Charter of Fundamental Rights of the European Union. Four years after the entry into the application of the General Data Protection Regulation (GDPR), the EU is planning to complement its framework by replacing the existing e-Privacy Directive of 2002 with a new e-Privacy Regulation. The Council of the European Union, the European Commission and the European Parliament remain in negotiations. The new regulation is expected to enter into force earliest in 2023, with an expected transition period of at least two years.

There are also updated, stricter data protection regulations being enacted elsewhere, for example, in the GCC region. In the United Arab Emirates, we’ve seen the enactment of the Data Protection Law DIFC Law No. 5 of 2020, the Abu Dhabi Global Market Data Protection Regulations 2021, and the UAE Federal Decree Law Number 45 of 2021. Furthermore, Saudi Arabia’s first comprehensive data protection legislation (Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 14 September 2021) came into effect in March this year.

Increasing Complexity

It is becoming increasingly complex for businesses to comply with privacy and data protection. Digitalisation and globalisation remain at the core of economic growth. Those factors and the raft of new regulations mean that many businesses must conduct continuous horizon scanning to ensure they are prepared for future legal developments.

Small and large companies use a range of cloud-based software from companies globally. Clients may be in various countries. And with the increase in remote and virtual working arrangements, employees and contractors may be in different countries and connected via remote working solutions. That means even a small company may need to comply with various regulations.

To illustrate this, in its August 2022 decision, the Danish Data Protection Authority (‘Datatilsynet’) upheld its processing ban against Helsingør Municipality's use of Google Workspace. The Danish Data Protection Authority believes several of the processes carried out via Google Workspace involve a high risk to the teachers and students using the services. It said the Municipality would need to make changes to the contract and the technology to reduce the risks related to the children’s personal data to an acceptable level. The decision also includes the suspension of any transfer of personal data to the USA.

“Location, Location, Location”

Businesses and customers are becoming increasingly aware of the impact of data location. Whilst cloud storage has become the “new normal”, it seems many companies were less prepared for the fact that it matters in which country the data is stored. This remains a particular issue for US-based cloud providers and software providers relying on their services when selling projects to regulated entities such as financial services companies in other parts of the world with stricter data protection and privacy regulations.

Software providers are now expanding their offerings to include several cloud data locations and, in some cases offering their business clients the option (at times at a premium) to choose in which location to store the data. For example, until roughly a year ago, HubSpot’s Amazon Web Services environment was solely located in the United States. However, since July 2021, the CRM provider has been hosting, storing, and processing its clients’ data in either the US or Germany. New clients can choose the preferred location, whilst existing clients have to wait to transfer their existing data until that functionality has been introduced.

In August 2022, Amazon opened its second region in the Middle East with the launch of its Middle East (UAE) Region, joining the AWS Middle East (Bahrain) Region, which opened in July 2019.

A More Comprehensive Range of Software is Available, but More is Needed 

There is a wider variety of software tools that can be used by both small and large businesses to assist with compliance. These tools range from the automatic generation of website cookies and privacy policies to tracking user consent for processing personal data. However, many of them need to become more sophisticated to account for the increasingly global nature of businesses and the extraterritorial effect of many regulations. Furthermore, more integration between CRM systems and sophisticated specialised communication tools is often needed.

How Can Data Privacy Create a Business Advantage?

There are a few reasons why businesses should consider data privacy and data protection as part of their overall enterprise risk management framework:

• Firstly, businesses have a legal obligation to comply with national and, in many cases, foreign privacy and data protection legislation. Breaching regulations can lead to significant fines. For example, breaching GDPR can result in penalties of up to EUR20 million or 4% of a company’s global turnover.

• Secondly, breaching privacy and data protection legislation may also result in business disruptions, as illustrated in the Danish Data Protection Authority’s ban on using Google Workspace in schools in a Danish municipality.

• Thirdly, breaching privacy and data protection legislation may result in non-financial consequences, including adverse reputational effects.

By complying with data privacy and data protection regulations and proactively working to place it at the centre of the business strategy, as well as ensuring it does not negatively affect the customer experience, businesses can stay ahead of the competition.