Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy & Compliance

Eight Steps to Data Privacy Regulation Readiness

This May marks the first anniversary of the European Union (EU)’s General Data Protection Regulation (GDPR) having taken effect. The first statute of its kind, GDPR was a response to an increasing number of security breaches and the exposure of billions of records containing the personal details of countless individuals as a result.

This May marks the first anniversary of the European Union (EU)’s General Data Protection Regulation (GDPR) having taken effect. The first statute of its kind, GDPR was a response to an increasing number of security breaches and the exposure of billions of records containing the personal details of countless individuals as a result. Its purpose was to define “personal data” and put the onus on companies handling storing, and using consumer data to protect it from being inadvertently disclosed or face significant liability in the form of fines for mishandling company-held personal information (under GDPR, authorities can issue a maximum fine of either €20 million or 4% of total global revenue, whichever is higher). In the lead up to its implementation, companies worldwide scrambled to understand and prepare for GDPR’s potential implications. A failure to demonstrate compliance can have a material impact on the organization.

However, it’s not just GDPR. Now with similar legislation taking effect early next year in the form of the California Consumer Privacy Act (CCPA) and Brazil’s data protection law, Lei Geral de Proteção de Dados (LGPD), organizations will be racing once again to get up to speed, and in compliance. Additionally, other ordinances aimed at boosting cyber resiliency, like the Australian Prudential Regulation Authority (APRA), put further pressure on organizations to quickly and effectively respond to security breaches.  

Breaches on the rise 

According to the Identity Theft Resource Center, there were more than a thousand publically reported breaches in 2018 amounting to more than 400 million records exposed (and breaches are almost certainly under-reported). The past month alone saw 79 recorded data breaches contributing to the exposure of more than 3 million sensitive records. With numbers like these, the rationale driving these international, national and state privacy obligations is plain to see; currently Hawaii, Massachusetts, and Washington are also considering state laws concerning data protection and privacy. Subsequently, organizations will increasingly be required to offer more transparency about how they collect, organize and protect customer data, while giving consumers the ability to easily opt-out or remove identifying information while internally ensuring effective controls are in place to protect information assets.

As the definition of “personal data” encompasses essentially anything that may be used to identify an individual – from a job application, to browser histories and IP information – the scope of information companies must safeguard is enormous, notably, the CCPA “personal information” protections include information about devices and households. 

Lessons Learned 

The good news is that companies can leverage the lessons learned and investments made in preparation for GDPR to expedite compliance for these and future related regulations. Outlined below are eight steps to develop a repeatable framework for protecting data likely to fall under new and existing data privacy regulations.

1. Scope Your Data: Make sure that you understand which data is in scope for your organization. This should include data about your customers and employees (as a Controller), as well as data your process on behalf of other organizations (as a Processor). These regulations are designed to protect citizens’ and/or residents’ data, regardless of where it resides. 

Advertisement. Scroll to continue reading.

2. Understand Data Transfer Agreements: Businesses need to clearly understand in which jurisdictions data is being held and from which it’s being accessed to ensure any transfers are accounted for properly and accurately. For instance, under GDPR EU citizens have the right to request a data controller transfer their personal data to another data controller, while the CCPA requires businesses provide personal information in a readily useable format that consumers can transmit from one entity to another.

3. Update Consent Methods or Legal Basis for Processing: Update the methods via which consent is sought from individuals, or how the legal basis for lawful processing of that data is established. This should include assurances that the spirit of data protection principles has been respected. Both GDPR and the CCPA require notification to consumers of privacy practices (prior to or at time of data collection), as well as changes to privacy practices, and specific rights applicable to children.

4. Prepare for Subject Access Requests: Individuals can already request to see a copy of the information an organization holds about them. Under GDPR, businesses cannot charge EU consumers for access of data that may be held and must respond within one month of receiving the request; under the CCPA businesses are required to respond within 45 days. Additional consumer privileges include ‘the right to be forgotten’.

5. Plan for Notification: Under GDPR, data controllers are required to notify the national data protection regulator within 72 hours of a “breach.” This applies when the “data breach is likely to result in a high risk to the(ir) rights and freedoms.”  California has a separate, preexisting, data breach notification law, separate from the CCPA, requiring businesses or state agencies to notify residents when their personal information has or has reasonably believed to have been breached “in the most expedient time possible and without unreasonable delay”. Should a single breach impact more than 500 California residents, notification must then be made to the state’s Attorney General.

6. Amend Your Contracts with New Obligations: The legal contracts and policies must reflect suppliers’ obligations to their clients, including consent and requirements. Unlike GDPR, the CCPA does not detail these requirements, but it does obligate businesses to direct their service providers and vendors to delete personal information from their records following a consumer’s request. 

7. Revise Your Privacy Policies and Statements: Ensure that the privacy policies and statements to consumers appropriately reflect obligations. Policies should be concise, transparent, intelligible, and free of charge. This includes the tailoring of language to different age groups.

8. Designate a Data Protection Officer: A Data Protection Officer (DPO) or similar individual must be designated under GDPR. This applies to organizations that store a large amount of information about employees or other individuals. In particular, the rule applies to public authorities or those organizations that carry out large-scale monitoring of individuals. Though not similarly required under the CCPA, businesses are expected to implement and maintain “reasonable security practices and procedures” like malware defenses, penetration tests, and data recovery capabilities, among others. Designating a Data Protection Officer can help to ensure these practices and procedures are performing properly.

Both GDPR and the CCPA significantly impact organizations and entities collecting and processing personal data, and violations of either have the potential for considerable economic liabilities. With more legislation expected, every company should ensure they have a robust framework in place along with strong data mapping capabilities to both understand what information they’re collecting, by whom, how it’s being disclosed, and how best to ensure they’re responsive to both consumers and requirements under the law.

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...