Why a 'one-size-fits-all' approach to data classification won't deliver in an era of enhanced regulation
In 2018 the European GDPR irrevocably changed the whole data privacy landscape. Since it was implemented there have been a host of other privacy regulations such as CCPA, CMMC, and India PDP, coming into force around the world. In fact, just a couple of weeks ago the Colorado Governor signed the Colorado Privacy Act (CPA) into law, the latest in the recent wave of state privacy legislation in the US and unlikely to be the last. The CPA will take effect July 1, 2023, six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) become effective.
Following the implementation of such data protection and privacy regulations, there have been plenty of high-profile cases and fines issued. This further underpins the need to ensure sensitive information is handled in the correct manner and reinforces that this is a government requirement that organizations can no longer ignore. For example, just this month British Airways settled a legal claim from some of the 420,000 people affected by a major 2018 data breach. The breach affected both customers and BA staff and included names, addresses, and payment-card details. The UK Information Commissioner's Office handed BA its largest fine to date -- £20m -- over the "unacceptable" failure to protect customers.