As our dear friend ChatGPT says, compliance is no longer restricted to checking boxes off a list. The cost of non-compliance is rising—not only in fines but also in reputational damage and legal liabilities. Therefore, it makes total sense to check how the compliance landscape looks for the rest of the year, particularly as this year has been marked by various events that indicate clear noncompliance. The compliance norms becoming stringent is no longer just an empty, inevitable sentence that is a must-use for discussing anything about capabilities needing to follow compliance norms, like data storage. Countries like India have also come up with their own data protection norms. Compliance is now a global imperative. From new AI governance laws in the EU to stricter personal data mandates in India and evolving state laws in the US, the regulatory environment is rapidly changing and evolving. Let us take a deep dive into the situation.
The Current Situation
Let us be clear, the cybersecurity situation has not exactly been great this year. There have been a LOT of security incidents at various big companies, or the companies we expect to have a better understanding of security posture and the means to keep it improving. There have been way too many breaches and hacks. It is but natural that compliance rules will be expanded in scope and tightened further. Here is a small list of some key rules being introduced across the world:
- Digital Personal Data Protection (DPDP) Act, India:
India’s data protection situation, despite being a top-five economy, is a wild west-type situation. Nonconsensual calls for various types of products, with leads generated through data obtained downright illegally or through shady entities, remain a persistent headache. The act primarily focuses on the companies processing data of Indian citizens. Noncompliance will result in fines up to ₹250 crore (~$30 million USD) per violation. It also stipulates a mandatory consent framework, data localization, and stricter breach disclosures.
- Other countries in the Middle East & Africa are also focusing on implementing and further strengthening their data laws. The UAE introduced a federal data protection law that aligns with global frameworks. Saudi Arabia and Egypt have also strengthened sector-specific cyber mandates. Over 30 African countries have adopted or drafted national data protection laws.
- General Data Protection Regulation (GDPR) 2.0:
If GDPR 1 gave a new meaning to the word stringent, GDPR 2.0 takes it up by several notches. The key changes include:
Fines for late or incomplete notifications about breaches have been increased. Organizations must report breaches within 72 hours or provide a valid justification. Firms must clearly inform individuals when decisions are automated. AI training datasets must meet GDPR’s lawful basis and purpose limitation rules. Blanket “retain everything” policies are non-compliant. Firms must set purpose-specific retention schedules and enforce automatic deletion. Cross-Border Transfer is being further reinforced. Supplementary safeguards like encryption, pseudonymization must be documented. There is also a stronger focus on protecting children’s data and enforcement of stronger age verification and parental consent processes.
Fightback Against Newer Lures:
These are guidelines for a somewhat broad usage. However, technological advancements have introduced and mainstreamed some more critical domains as lucrative targets. Along with finance, another prominent domain is Medicare. The increasing digitalization because of connected medical devices has given rise to newer threats. In this case, they pose a real, life-or-death situation. We have already seen ransomware attacks, and HIPAA has even released a list of such vulnerable devices as far back as 2023.
Naturally, countries and regions are coming up with new norms to counter this emerging menace. The European Union’s EHDS (European Health Data Space) is one such critical norm. The law mandates secure sharing and secondary use of health data. India is beefing up data security with its Ayushman Bharat Digital Mission. HIPAA has also rolled out new rules.
Emerging Trends to Watch
- Compliance-by-design is becoming standard for SaaS and mobile app development.
- AI in compliance management (RegTech) is gaining traction, helping firms monitor and interpret complex legal updates in real time.
- Calls for a unified global privacy framework are increasing, with the UN and OECD exploring baseline standards.
- Cyber insurance premiums are directly tied to regulatory preparedness and past breach history.
Final word:
Here is what QKS Group’s compliance expert Sahil Dhamgaye explains, “Compliance is no longer about alignment with static frameworks but about dynamic resilience. The increasing complexity in cross-border data flows, AI accountability, and healthcare digitalization is creating a multidimensional risk surface.” Sahil has these cautionary words: “Organizations that treat compliance as a product that is iterative, user-centric, and integratable across operations, will be the ones that stay ahead of both regulators and threats.”