4 Big Regulatory Issues To Ponder in 2023

Regulatory compliance, particularly in the realm of data privacy, looms large on IT leaders’ list of responsibilities. The ever-present threat of data breaches, new regulation impacting the use of data, and the advent of new technology require risk management. A survey from compliance software management company Hyperproof found that 57% of organizations plan to spend more time on risk compliance management this year.

What are some of the top regulatory issues IT leaders should be keeping in mind as they guide their enterprises through the compliance landscape in 2023?

1. National data privacy laws

The European Union’s General Data Protection Regulation (GDPR) has been regarded as the gold standard of consumer data privacy protection, and it continues to be an important regulatory requirement for companies. GDPR is also prompting countries across the world to consider data privacy legislation of their own. IT leaders will want to watch for new national legislation that could affect their organizations.

The American Data and Privacy Protection Act (H.R. 8152) would be the first comprehensive federal data privacy law in the United States. Ken Mendelson, senior managing director for global investigations and security company Guidepost Solutions thinks it is unlikely the ADPPA will pass this year, but it remains an important bill for IT leaders to watch. In March, the Congressional Subcommittee on Innovation, Data, and Commerce held a hearing on data privacy, signaling that interest in federal legislation is still there. The passage of a federal law could solve some of the challenges created by the state-by-state approach to data privacy.

In India, the Digital Personal Data Protection (DPDP) bill is pending. The bill defines children as below the age of 18, and companies will need to secure parental consent to process data of anyone in this age group, according to The Economic Times.

The Personal Information Protection Law (PIPL) went into effect in China in 2021. It shares some characteristics of GDPR, but the state oversees compliance rather than an independently operated agency, according to the Hyperproof report. Enterprises operating in China will likely need to evaluate PIPL compliance requirements.

2. More state data privacy laws

The ADPPA may not pass this year, but in the meantime, more US states are looking to enact data privacy laws. The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are among the strictest data privacy laws in the country. Virginia rolled out its Consumer Data Protection Act on Jan. 1.

More comprehensive state data privacy laws are set to go into effect this year, including:

“Indiana and Iowa also have signed bills this year that will go into effect in the next few years. Montana and Tennessee both have bills awaiting signatures on their governors’ desks, and 14 more states have active bills working their way through the legislative process,” adds Rachael Ormiston, head of privacy at data privacy software platform Osano.

Until a federal law passes, enterprises with multi-state operations will need to keep track of state-level legislation and compliance.

3. Regulatory enforcement

Regulatory enforcement is a vital trend for IT leaders to watch. The Federal Trade Commission, US Securities and Exchange Commission (SEC), and US Department of Health and Human Services (HHS) are among the regulatory bodies overseeing cybersecurity and privacy requirements.

“The Federal Trade Commission has determined that inadequate cyber security represents an unfair trade practice, resulting in numerous FTC enforcement actions across a number of industries,” Guidepost Solutions' Mendelson tells InformationWeek.

The SEC has proposed a new rule (Rule 10) that would require “entities that perform critical services to support the fair, orderly, and efficient operations of the US securities markets to address their cybersecurity risks.” The rule would require US securities markets to have written cybersecurity policies, and it would require covered entities to report cybersecurity incidents to the SEC.

Betsy Hodge, a partner in the health care practice at national law firm Akerman, also notes increased activity by the HHS Office for Civil Rights (OCR) regarding the use of protected health information (PHI).

European regulatory authorities are also actively enforcing data privacy laws. In May, Ireland’s Data Protection Commission fined Meta, the parent company of Facebook, a record $1.3 billion for violating GDPR.

4. Artificial intelligence regulations

Hardly any conversation about technology can escape AI. How will it be used? How can it be used responsibly? What are the potential dangers? Already, Sam Altman, the CEO of generative AI firm OpenAI, has called for the US to create regulations for emerging AI technologies.

Other countries are also taking a close look at how AI is being used. The Italian Data Protection Authority temporarily banned AI chatbot ChatGPT due to privacy concerns. OpenAI, the company behind ChatGPT, met many regulatory demands before making its return to Italy at the end of April, AP News reports. 

The exact shape and timeline that AI regulations will take in the US and around the world is not yet defined. Michael Lamb, global chief privacy officer at information and analytics company RELX,hopes regulation will be shaped by input from academics, civil society, the creators of AI models, and generative AI users. “The key balance for legislators is to ensure that generative AI can thrive and deliver benefits while providing needed guardrails against harms, such as inaccuracy, bias, or copyright issues,” he says.

Compliance Challenges

Ensuring regulatory compliance can feel like a delicate juggling act. Large enterprises with operations in multiple states and countries are faced with a patchwork of laws that are evolving in an attempt to keep up with today’s proliferation of data and technology. “It’s challenging to stay on top of what seems to be a never-ending list of new requirements, some of which overlap but do not align,” Hodge says.

Enterprises may not even have the necessary knowledge to understand where they stand with regulatory compliance. “Many companies don’t even know everywhere sensitive data resides in their technical stack. Companies that had to comply with GDPR or CCPA may have done proper data mapping, but most haven’t. This generally tends to be the most time- and resource-intensive,” according to Robin Andruss, chief privacy officer at data privacy company Skyflow.

Budgetary and staffing constraints complicate that juggling act. Enterprises need technology, people, and training to keep up with compliance. Getting an adequate share of the budget for those resources can be particularly challenging for smaller companies. “However, these investments will yield dividends in the long run because organizations failing to budget for compliance now will have to budget for costly litigation and penalty fees later,” Ormiston points out.

The highly publicized nature of data breaches and ransomware attacks highlight the necessity of maintaining compliance. “IT leaders can, and should, leverage any new regulatory requirements as a justification for increasing budgets for cybersecurity compliance,” Mendelson argues.

Challenges abound when it comes to potential AI regulation as well. Many IT teams are eager to leverage AI, but how can they do so when the future of regulation is uncertain? “It is challenging to stay ahead of the tech adoption curve when the risks on how to best use it are unclear. It can therefore be difficult to determine what kind of policy or governance controls need to have in place to support those requests,” Ormiston says.

Staying Updated  

Looking to the most comprehensive regulations can serve as a helpful guide to staying ahead of the curve. GDPR is one of the most rigorous privacy protection standards, and it has influenced legislation in the US, including CCPA and CPRA, according to Ormiston. “Adhering to these strict regulatory requirements positions your organization to achieve compliance more quickly when, not if, additional data privacy legislation passes in your area,” she says.

Gopi Ramamoorthy, senior director of security and governance, risk, and compliance at data security posture management company Symmetry Systems, stresses the importance of understanding the bigger picture of the regulatory landscape. “This will help to architect the controls implementation, verification, and maintenance of those controls,” he says.

Regulatory compliance must be woven into the fabric of an enterprise’s business model, and it is not a static process. IT leaders are charged with staying on top of changing requirements and keeping their companies up to speed. Andruss recommends taking a proactive approach. “If IT leaders work closely with their privacy and security leaders to map and identify new regulations coming in the next six to 12 months, they can plan to implement data privacy and cybersecurity proactively into their architecture,” she says.

What to Read Next:

Tracking Pixels Continue to Cause Data Privacy Issues in Healthcare

Q&A: What Meta’s $400M+ EU Fine Means for Data Privacy and Ads

Privacy Debate for 2023: Can Data Collection Persist As Is?