We’re talking about the big picture of geopolitical instability that characterizes the legal and regulatory landscape.
In addition, Gorge talks about the likely increase in heightened privacy regulations, the extent to which the UK and EU will diverge from each other in General Data Protection Regulation (GDPR) and other regulations, and the effects of instability on data held in certain countries.
Antony Adshead: What are the key things to watch for IT and compliance in 2023?
Matthew Gorge: First, we have to look at what happened in 2022. It was a very busy year for cyber securitycompliance and storage.
It’s been a year that has been driven primarily by geopolitical shifts, and we’ve put a lot of emphasis on protecting critical infrastructure – that is, protecting everything we take for granted, like the access to water, electricity, banks, police, health systems, etc. on.
Many countries have started upgrading or updating their critical infrastructure protection regulations. For example, we have seen NIS 2 to go out. We have also seen some US states focusing on this.
We have also seen a number of attacks around the world and an increase in cyberattacks from Russia to the west, primarily the UK, France, Ireland, US and Australia.
I think we can expect more privacy regulations in 2023. In fact, the International Association of Privacy Professionals has mapped out regulations that they believe will be released in 2023, 2024, 2025. We see a lot of state regulations in the US, but we also see changes coming in terms of the fit between the UK and the EU [in relation] For GDPR.
The UK is now out of the EU, and as such the Information Commissioner’s Office can go their own way, and they have been, so there’s a big question mark on whether the match between the UK GDPR and the EU will continue. It’s going to be an interesting year or two.
Adshead: What are the key implications of the compliance landscape for data storage and protection in 2023?
Throat: Once again, we come back to basics. We need to know where our data is. We have seen many large organizations [looking at] where their data is and do tabletop exercises to find out what would happen if they were to leave a country.
Whether that country is the UK, Ukraine, Russia, China or Taiwan, it doesn’t really matter. If you know you have data in countries where regulations are likely to change, or where there is turbulence, you need to know how this affects storage and compliance.
What I mean by that is what if one morning you were to lose that data? You may have a backup, but that data is on cloud assets in a country where you no longer have jurisdiction. So you need to consider where your data is, what kind of data you have and where, and how you protect that data. Do you save it in the same country? Do you back it up with another cloud provider? You need to talk to your cloud providers to verify [your data] is not in countries or jurisdictions where new regulations may be issued.
But new regulation isn’t necessarily a bad thing – you just need to know what it means for your data. It’s about mapping your ecosystem and understanding where you have your data and what you need to do to stay compliant and have access to that data.