Nadia - stock.adobe.com
We talk about the big picture of geopolitical instability that characterises the legal and regulatory landscape.
Also, Gorge talks about the likely rise of increased privacy regulation, the extent to which the UK and the EU will diverge from each other in General Data Protection Regulation (GDPR) and other regulations, and the effects of instability on data held in particular countries.
Antony Adshead: What are the key things to look out for in IT and compliance in 2023?
Mathieu Gorge: First, we need to look at what happened in 2022. It was a very busy year for cyber security, compliance and storage.
It was a year that was essentially driven by geopolitical changes, and we saw a lot of emphasis on critical infrastructure protection – ie, protecting all the things we take for granted, like access to water, electricity, banking, police, health systems and so on.
Many countries have started upgrading or updating their critical infrastructure protection regulations. For example, we have seen NIS 2 coming out. We’ve also seen some states in the US focusing on that.
We also saw a number of attacks around the world, and a rise in cyber attacks coming out of Russia into the west, primarily the UK, France, Ireland, the US and Australia.
I think we can expect more privacy regulation in 2023. In fact, the International Association of Privacy Professionals has done a mapping of regulations it thinks will come out in 2023, 2024, 2025. We see a lot of state regulation in the US, but we also see changes coming up with regards to adequacy between the UK and the EU [in relation] to GDPR.
The UK is now out of the EU, and as such, the Information Commissioner’s Office can go in their own direction, and they have been, so there’s a big question mark as to whether adequacy between UK GDPR and the EU will continue. It’s going to be an interesting year or two.
Adshead: What are the key implications of the compliance backdrop for storage and data protection in 2023?
Gorge: Again, we go back to basics. We have to know where our data is. We’ve seen a lot of big organisations [looking at] where their data is and doing tabletop exercises as to what would happen if they needed to exit a country.
Whether that country would be the UK, Ukraine, Russia, China or Taiwan, it doesn’t exactly matter. If you know you have data in countries where regulation is likely to change, or where there is turmoil, you need to know how that impacts storage and compliance.
What I mean by that is what would happen if one morning you were to lose that data? Maybe you have a backup, but that data is on cloud assets in a country where you no longer have any jurisdiction. So, you need to map out where your data is, what kind of data you have and where, and how you protect that data. Do you back it up in the same country? Do you back it up with a different cloud provider? You need to talk to your cloud providers to check [your data] is not in countries or jurisdictions where there might be new regulation coming out.
But new regulation is not necessarily a bad thing – you just need to know what that means for your data. It’s all about mapping your ecosystem and understanding where you have your data and what you need to do to stay compliant and have access to that data.