Navigating The Newest Data Privacy Regulations

Businesses are changing. Digital transformation and other modern initiatives are creating new ways to deliver value. As organizations worldwide integrate new technologies, they generate, store, and share far more data than ever before.

As a result, regulating private and sensitive data has become both critical and constant. Organizations of all sizes—whether enterprises or IT service providers—must comply with the latest data privacy laws to safeguard customer information, protect their reputations, and avoid the substantial fines associated with non-compliance.

Achieving compliance can be a challenge for system administrators who are already spread-thin across several IT projects, often working under a limited budget. We can break this undertaking down into three important components.

1. Data classification and management: Understanding what private data is being collected and its priority. Verifying that it is being gathered and stored in such a way that it meets compliance requirements.

2. Infrastructure and technical: Your hardware, software, and how data is transferred, backed up, and deleted must employ encryption, authentication, and other required security standards. 

3. Employee education and training: Your security policies must not only be documented but also well-understood and executed correctly by your team. Training will be required for each of your response team members to understand their role in maintaining compliance.

These security requirements are ever-evolving, based on the latest laws and amendments, which compel us to stay informed. Let's take a look at some of the newest changes in the industry.

What's New in Terms of Data Privacy Regulations?

California Privacy Rights Act (CPRA)
Amendment to the California Consumer Privacy Act (CCPA)

The CPRA went into effect on January 1, 2023, giving consumers more control over how businesses use their personal information. It limits what data can be collected, how consumers are notified, and how that data is shared, and gives individuals the ability to opt out. It also allows consumers to request the specific information a company holds about them and ask that it be corrected, restricted, or deleted.

This shifts the responsibility for data removal onto the business that collects it. While there is an exception for archives and backups, it raises important questions. Will future amendments include backup data? When a backup is restored and becomes production data again, will your organization promptly handle that client data in line with these requirements?

It’s also important to note that CPRA/CCPA enforcement is newly being handled by the California Privacy Protection Agency (CPPA). The industry expectation here is that enforcement activities will increase significantly over the prior authority, the California Attorney General.  

Virginia, Connecticut, Colorado, and Utah

In the U.S., following California, other states are passing state privacy laws to regulate how data is collected. Similarly, they call for regular security risk assessments and employee training. Individuals have a right to opt out of their personal data from targeted advertising, profiling, and sales. While the laws are similar, there will be no doubt about the specifics that should be observed by businesses that are working with personal data in these states.

Not far behind on the legislative trail are Michigan, Ohio, New Jersey, and Pennsylvania, with their own bills underway.

Payment Card Industry Data Security Standard (PCI DSS) 4.0

PCI DSS 4.0 was released in 2022 and will fully replace v3.2.1 in March 2025. By then, organizations must comply with the new standard. Created by the major credit card companies, PCI DSS is designed to protect private payment data as it is processed, transmitted, and stored.

Version 4.0 adds important requirements around client-side security, a growing target for modern threats. Organizations must identify and document all web assets, securely configure applications and system components, and ensure that vulnerabilities can be found and remediated. Any system that can impact the cardholder data environment—including MSPs that do not process card data directly—will have security requirements to follow. These may include intrusion detection and support for penetration testing.

Quebec's Law 25

Quebec's Law 25 (formerly Bill 64), enacted by the National Assembly of Quebec on September 21, 2021, modernizes the province’s private and public sector privacy framework. It applies to all organizations operating in Quebec that collect personal information in the course of their activities, requiring them to obtain valid consent and implement clear controls before using, transferring, or disclosing that data. The law has been updated multiple times, with major provisions taking effect on September 22, 2023.

These changes can significantly impact the compliance obligations of organizations located in Quebec, as well as businesses outside the province that handle the data of Quebec residents. New policies must define how personal information (and consent) is obtained, retained, and securely destroyed. Data that is no longer required must be either destroyed or anonymized. A Privacy Impact Assessment (PIA) is now mandatory for any project that involves transferring personal information outside Quebec’s borders. In addition, individuals have expanded rights, including the ability to request that organizations stop processing their personal data.

Conclusion

Organizations of all shapes and sizes must put forth effort to respect the newest compliance regulations coming into play this year. Protecting the private and personal data of customers and partners, preserving their reputation, and avoiding heavy fines are in everyone’s best interest. Stay informed and speak with data protection experts, like our team here at NovaBACKUP, to develop a strategy that conforms to strict compliance standards but offers your organization access to data flexibly, inspiring productivity and facilitating the modernization of your business in the age of digital transformation. 

Note: The information provided in this blog post is for educational purposes only and is not intended to be a substitute for professional legal advice. The authors are not lawyers, and any information regarding legal specifics, fines, etc.,  should be verified with a qualified lawyer who specializes in regulatory compliance.