The growing digital footprint has increased the exchange of personal data, creating opportunities for cybercriminals to access them for their gains. In the process, they jeopardize the security and privacy of individuals and businesses. One way to minimize these cyber attacks is to increase the security of the systems handling sensitive data. But, not every organization takes the necessary precautions because of budget constraints, negligence, etc.
To streamline and enforce security, governments worldwide have started implementing laws that mandate organizations to take steps to protect the security and privacy of individuals. Moreover, they have to regularly monitor these security measures to ensure they are relevant and up-to-date. Some laws that have helped maintain individual privacy and security are GDPR, DOX, SOC, HIPAA, PCI DSS, and more.
To keep pace with emerging technologies and the risks they pose to security and privacy, governments and industry bodies are formulating new laws. In this article, we will look into these emerging laws and their impact on organizations and the wider job market.
Digital Operational Resilience Act (DORA)
DORA is an EU legislation that came into effect on 16 January 2023 and will be applicable from 17 January 2025. This legislation aims to improve the security of IT systems in banks, insurance companies, and investment firms. Its provisions ensure that European financial institutions continue to be resilient.
Key Provisions
- Financial entities must implement comprehensive ICT risk management frameworks.
- They must make mandatory reporting of significant ICT incidents to competent authorities.
- Organizations must regularly test digital operational resilience capabilities, including penetration testing.
- Manage risks associated with third-party ICT service providers.
California Privacy Rights Act (CPRA)
CPRA extends the existing California Consumer Privacy Act of 2018 and came into effect on 1 January 2023. This law established a nodal agency called the California Privacy Protection Agency and vested full administrative power, authority, and jurisdiction to enforce the Consumer Privacy Act. This agency also has the right to update existing regulations and create new ones as needed.
Key Provisions
- Provides additional protections for sensitive personal information.
- Consumers have the right to correct inaccurate personal information.
- Enforces strict requirements for businesses to include specific terms in contracts with service providers and contractors.
- Creates regulations around automated decision-making and profiling.
China’s Personal Information Protection Law (PIPL)
The PIPL is a new data privacy policy in China that protects personal information and addresses issues around personal data leakages. It applies to individuals and organizations that process Personally Identifiable Information (PII) of Chinese residents, within and outside China.
Key Provisions
- Enforces strict requirements for obtaining consent before collecting and processing personal information.
- Places restrictions and conditions on transferring personal data outside China.
- Provides rights for individuals to access, correct, and delete their personal data.
- Imposes significant fines for non-compliance, similar to GDPR.
New York State Department of Financial Services (NYDFS) Cybersecurity Regulation
The Department of Financial Services in New York enacted the NYDFS regulation, also known as 23 NYCRR 500, on 1 March 2017. It applies largely to the financial sector and ensures that these companies have the necessary cybersecurity protection to prevent unauthorized access and cyber-attacks.
Key Provisions
- Requires a comprehensive cybersecurity program based on risk assessments.
- Every organization must appoint a CISO responsible for implementing and overseeing the cybersecurity program.
- Implement due diligence and monitoring of third-party service providers’ cybersecurity practices.
- Organizations must make mandatory reporting of cybersecurity events to NYDFS.
EU Whistleblower Protection Directive
This directive came into effect in December 2021 and aims to protect individuals who report breaches of EU laws. It requires member states to provide effective channels to report violations within the private and public sectors. More importantly, this law mandates protection for whistleblowers to preserve confidentiality and protect against retaliation.
Key Provisions
- Mandates member states to establish secure and confidential internal and external reporting channels.
- Protects against retaliation for whistleblowers, including legal protections and support.
- Requires timely follow-up on reports received through the designated channels.
- Covers a wide range of EU law breaches, including those related to public procurement, financial services, and environmental protection.
European Union AI Act
Due to the growing use of AI, this is a significant act that aims to create a legal framework for AI use within the EU. It is deemed as the first comprehensive AI regulation. Under this legislation, all risks are divided into unacceptable risks, high risks, and no risks.
Key Provisions
- Categorizes AI systems into different risk levels (unacceptable, high, limited, and minimal) with corresponding regulatory requirements.
- Obligates providers to ensure transparency and provide information about how AI systems operate.
- Checks if the high-risk AI systems are undergoing conformity assessments to comply with specific requirements.
- Establishes procedures for market surveillance to monitor AI systems post-deployment.
Now that we’ve seen the emerging laws and regulations related to GRC, let’s see how they can potentially impact organizations and GRC professionals.
Impact on Organizations
Organizations must adjust their existing strategies to comply with these emerging laws. Below are some areas where there could be a substantial impact, depending on the organization’s location, current processes, and the nature of the industry.
Compliance Changes
Organizations will have to create new policies or adapt existing ones to meet these new regulations. Along with these changes, they will also have to create the necessary documentation and provide training to employees to help them understand the new provisions and comply with them. In some cases, they may also have to invest in new technological tools to meet data protection, cybersecurity, and AI regulations.
Risk Management
Along with enforcing processes and policies, organizations must also have measures to ensure compliance. This could require regular risk assessments to identify compliance gaps and develop plans to mitigate them. Moreover, they will need advanced systems to quickly respond to compliance issues.
Budgets and Resources
To comply with the emerging GRC regulations, organizations may need larger budgets and more resources. Depending on the legislation and compliance requirements, organizations may need skilled Data Protection officers (DPOs), compliance officers, risk managers, AI ethics specialists, cybersecurity experts, risk managers, and more. Identifying and retaining these employees can entail substantial costs, and organizations must plan for it.
Thus, these are how emerging GRC laws can impact organizations.
Impact on the Job Market
Besides organizations, GRC laws can impact the job market, as they require more specialized GRC specialists. Also, the training and certifications that define their competence can increase based on the demand.
Existing GRC professionals can prepare themselves for these laws in the following ways.
- Earning certifications in specific areas of GRC, such as data protection and cybersecurity.
- Participating in advanced training programs and workshops focused on new regulations.
- Attending industry conferences and seminars to stay informed about regulatory developments and best practices.
Thus, emerging legislation can impact job seekers, GRC professionals, and the job market in the above ways.
Final Thoughts
Emerging GRC laws and regulations can impact organizations and individuals. While organizations may require changes in compliance strategies, risk management practices, and data management policies, GRC professionals will have to update their knowledge and understand these emerging provisions. These regulatory changes also create a ripple effect in the job market, increasing demand for specialized GRC professionals and offering new opportunities for career growth and professional development.