Module

digital economy is built on data—massive streams of data being created, collected, combined
and shared—for which traditional governance frameworks and risk-mitigation strategies are
insufficient.

It’s a game of catching up! Since data have exploded in recent years, it spurs policy debates and
yielded new and often overlapping regulations aimed at protecting consumer data and privacy.

Needless to say, Data Changes Everything!

 Threat Landscape - shift towards reducing the use of complex malicious software and
infrastructures and going towards low profile social engineering attacks according to
European Union Agency for Cybersecurity (ENISA).

In the past, the scope for digital risk was limited to cybersecurity threats but leading
organizations must now also recognize risks from lackluster ethical data practices.

 Business Model - Businesses will need to bridge the gap in security knowledge among the
operated services and end users of the service. The consumption of CTI knowledge is a
major step to achieve this goal.

 Regulatory Environment – are trying to catch up, as data management and compliance
appears to be a moving target.

 Competitive Environment – data ethics has become more of a competitive edge.

 Culture change

Data Breach Incidents are increasing

 A leading Chinese university leaked 8TB of email metadata;

 Mabna Hackers allegedly stole more than 31TB of data from over 140 US universities, 30
US companies and five government agencies, alongside more than 176 universities in 21
other countries;

 Forever 21, Best Buy, Sears, Macy, Delta

 NPC handles 201 (2018) to 901 (2019) cases.

Data Breach Incidents are increasing so is the penalty

The cost of global data breaches to victim organizations will rise to over $5 trillion by 2024 as
regulatory fines take hold and firms become more dependent on digital systems, according to new
predictions from Juniper Research.

Regulators are Catching Up

More enforcement ahead!

Around the world, data privacy and security regulators are becoming more active and tougher on
businesses with poor data protection practices.
Regulators are dedicating more resources to the enforcement task and we are expecting higher
penalties to be issued for non-compliance moving forward.

Regulators are also starting to collaborate with their counterparts across borders in order to align
themselves and support each other.

All of these factors will significantly increase the risk of non-compliance.

Data security and incident response practices

1. Insufficient data security and data breach notification requirements (which are increasingly
being made mandatory) will be a number #1 priority for regulators in all regions as most
recently evidenced by the UK ICO's first GDPR enforcement actions. Insufficient data
security or inadequate data incident response ranks amongst the three most common
compliance mistakes committed by business across jurisdictions indicating that many
businesses would be wise to focus their efforts on data security and incident response
practices.

2. Online Consent businesses of all sizes relying on data subject consent as a processing
ground would be wise to ensure they are transparent about their data practices vis-à-vis
the data subjects and enable data subjects to be in control of their data. A challenging task
given the requirement to make privacy notices clear and concise but at the same time
complete and comprehensive.

3. Excessive collection and processing of personal data online - We expect regulators to

continue to scrutinize the collection and processing of personal data in excess of what is
necessary to deliver a service or product, particularly in the online world. In the past,
;regulators have penalized businesses for collecting personal information through apps or
websites for purposes unrelated to the use of such app or the provision of a service.

4. Cookies and other online tracking technologies are an important analytics tool for many
businesses. Cookie walls which block users from accessing a website or app unless the
user consents to the placing of tracking technology risk a finding that consent is not
voluntary.
5. Thhey should be reviewed and adapted to ensure users are given a genuine choice
between accepting or rejecting any tracking. Regulators views are currently not consistent
as to when such choice is given, so an area to watch for more guidance

6. Data residency requirements - Obligations to store certain personal data within the
jurisdiction are very prominent particularly prominent in Asia (e.g., China, Vietnam, India
and Indonesia) and are a particular challenge for businesses that largely operate online
and do not typically set up technology infrastructure in each jurisdiction where they offer
their products or services.

7. Direct Marketing Requirements

8. Cross-border compliance