The emergence of Data Protection regulations is going to bring forward a new data governance ecosystem to regulate the business market place.
While earlier, Cyber Security related work was predominantly seen only in IT world, and rest of organizations used to mostly work to get their ISO and Cyber Security regulations, a new paradigm is expected to evolve to regulate data importance across industry (both Tech and Non-Tech)
The business place will evolve to have following entities apart from the users whose personal data is being processed by Controllers and processors.
- Data Controllers (and its representation by DPO)
- Data Processors (and its representation by DPO)
- Certification Authorities
- Independent Regulator (example in case of GDPR, Supervisory Authority headed by a Lead Supervisory Authority)
- Government Body (Department dealing with Data Protection Laws)
- Data Protection Board (constituted in Europe to ensure consistent application of Regulation across members states)
- [Standard Development Organizations]
- Consulting Organizations
Data Controllers and Data Processors (#1 / #2), organizations capturing & processing personal data of users, shall appoint a DPO (Data Protection Officer) who is going to be SPOC for end users (it is going to be mandatory for specific cases where significant personal data is going to be processed, or data being processed is of sensitive nature)
Certification Authorities (#3) are going to help evaluate technology and organizational implementations sufficiency to validate required level of adherence to Regulation.
Independent Regulator (#4) is going to ensure monitoring the application of Regulation, and act as bridge between Users and Organizations (both Private and Govt, including controller and processor). In case of European Union, there is going to be one or more supervisory authorities per Member State (in case of multiple authorities, Govt to decided which Supervisory Authority shall be representing authority in Board (#7)). The regulator will be lead by a Lead Supervisory Authority.
In case of contention, users will have right to Judicial proceeding against Regulator (supervisory authority), controller or processor (#4/#2/#3)in an appropriate court of law (#6).
A Data Protection Board (#7) has been constituted in case of European Union to ensure consistent application of Regulation across its member states. The Member State Government has right to participate in activities of Board (without voting right)
Apart from this, several organizations (self driven, industry specific) are evolving that provide for standard and code of conduct for several domain / sector specific requirements.
The market place has already several Consulting and Solution providing organizations (#9) that are already providing several services to Data Controllers / Processors, including but not limited to following:
- Preparing Organization for Certifications
- Privacy Impact (PIA or DPIA) assessment in case of new technology implementation or projects dealing with Personal Data
- Legal & Financial Consulting (example related to Loss & Compensation Suites, Cross border data flow, Merger & Acquisitions)
- Technology products and services for Data Protection
- Data Audits (this service is expected to gain prominence)
There is going to be high level of churn for various industries based on these developments happening. Few examples include:
- Biometric identification industry will go through major changes, and face major risk on their business volume.
- Several Quality Certification industries are gearing up for new need of Data Audits, Certification and training needs that will be required across industries that deal with personal data.
- PIA perlocation, Risk Management firms will start happening across globe
- CAs, Law firms are gearing up challenge that will be brought by trans-border flow of data, difference in regulations, complaints from users.
- GDPR Act