Data Regulation in 2020: Compliance From Day 1
It is December 2020 and a tumultuous year is coming to a close. COVID-19 made 2020 a historic year and forced just about every organization globally to alter or adapt their ways of doing business. The sudden but necessary shift to distributed, remote work has only served to aggravate data privacy concerns and highlighted the need to develop new data privacy guidelines and regulations.
Some of the most important regulatory updates include:
· In its judgement on July 16, 2020, the Court of Justice of the European Union (“EJC”) invalidated the EU-US Privacy Shield framework with major implications for international data transfer between the EU and the US; and
· On October 21, 2020, the People’s Republic of China (“PRC”) unveiled its highly anticipated draft personal information protection law. This is the first comprehensive piece of legislation addressing personal information protection in PRC.
China is not the only country issuing new proposals and laws around data protection. Countries such as Egypt, New Zealand and Brazil also passed robust data privacy laws in 2020. OneSpan published a highly recommended “Global Financial Regulations Report 2020” detailing regulatory developments in 2020.
Terms around data privacy and data security have also found their way into venture financing documents. The NVCA updated its draft “Stock Purchase Agreement” in September 2020 and addressed new considerations under, and increased risks posed by, the new generations of privacy laws and thereby amended and specified the representation regarding “Data Privacy”. This can also be found across the world in Singapore where the model VIMA agreements also contain warranties around data protection. We at Arbor have also witnessed that those terms are increasingly becoming a standard in new financing rounds. The question is how businesses, especially start-ups with limited manpower and capital, should best deal with those increasing requirements around data protection and data security?
Companies store, process and exchange a wide variety of data, such as customer information, patient data, population data and employee data. This data is subject to a variety of laws. Mapping out what kind of data a company stores, processes and exchanges is important. When considering the applicable laws companies should also think long-term and take into account their international expansion strategy and according increased regulatory burdens and complexities. Companies that leverage technologies and processes such as machine learning and predictive analytics frequently rely on the processing of such data as part of their business model. It might be essential to develop a data protection strategy early on. We expect management to analyse the data protection risk, drawing up guidelines and establishing data protection procedure and monitoring as necessary. While we certainly expect innovation on a product level sometimes it also makes sense to just leverage existing solutions that work to minimize costs and efforts, especially when it’s outside of one’s core competencies. As such, it makes a lot of sense for companies to consider whether increased regulations around data processing and security cannot be met by getting the help of specialized companies and/or service providers. In fact, depending on the complexity of the problem (such as data residency questions), large corporations are also better served by specialized, third-party solutions.
While increased regulation is certainly a challenge for start-ups and corporations alike, it can also be an opportunity for innovation, new products and services. Data protection and privacy start-up BigID just recently announced a new funding round that rose the company’s valuation to $1B. Arbor’s investment in InCountry, a company that addresses data residency challenges with a complete end-to-end storage and compliance solution is a testament to the growing opportunity in the space. Consequences for lack of compliance around data regulation are high, creating an urgency to find solutions that can solve the complexities of a balkanized and more regulated digital world. Those that build successful solutions will be a part of our global digital infrastructure for years to come.
Written by Luana Stämpfli
