This May marks the first anniversary of the European Union (EU)’s General Data Protection Regulation (GDPR) having taken effect. The first statute of its kind, GDPR was a response to an increasing number of security breaches and the exposure of billions of records containing the personal details of countless individuals as a result. Its purpose was to define “personal data” and put the onus on companies handling storing, and using consumer data to protect it from being inadvertently disclosed or face significant liability in the form of fines for mishandling company-held personal information (under GDPR, authorities can issue a maximum fine of either €20 million or 4% of total global revenue, whichever is higher). In the lead up to its implementation, companies worldwide scrambled to understand and prepare for GDPR’s potential implications. A failure to demonstrate compliance can have a material impact on the organization.
However, it’s not just GDPR. Now with similar legislation taking effect early next year in the form of the California Consumer Privacy Act (CCPA) and Brazil’s data protection law, Lei Geral de Proteção de Dados (LGPD), organizations will be racing once again to get up to speed, and in compliance. Additionally, other ordinances aimed at boosting cyber resiliency, like the Australian Prudential Regulation Authority (APRA), put further pressure on organizations to quickly and effectively respond to security breaches.
Breaches on the rise
According to the Identity Theft Resource Center, there were more than a thousand publically reported breaches in 2018 amounting to more than 400 million records exposed (and breaches are almost certainly under-reported). The past month alone saw 79 recorded data breaches contributing to the exposure of more than 3 million sensitive records. With numbers like these, the rationale driving these international, national and state privacy obligations is plain to see; currently Hawaii, Massachusetts, and Washington are also considering state laws concerning data protection and privacy. Subsequently, organizations will increasingly be required to offer more transparency about how they collect, organize and protect customer data, while giving consumers the ability to easily opt-out or remove identifying information while internally ensuring effective controls are in place to protect information assets.
As the definition of “personal data” encompasses essentially anything that may be used to identify an individual – from a job application, to browser histories and IP information – the scope of information companies must safeguard is enormous, notably, the CCPA “personal information” protections include information about devices and households.
Lessons Learned
The good news is that companies can leverage the lessons learned and investments made in preparation for GDPR to expedite compliance for these and future related regulations. Outlined below are eight steps to develop a repeatable framework for protecting data likely to fall under new and existing data privacy regulations.
1. Scope Your Data: Make sure that you understand which data is in scope for your organization. This should include data about your customers and employees (as a Controller), as well as data your process on behalf of other organizations (as a Processor). These regulations are designed to protect citizens’ and/or residents’ data, regardless of where it resides.
2. Understand Data Transfer Agreements: Businesses need to clearly understand in which jurisdictions data is being held and from which it’s being accessed to ensure any transfers are accounted for properly and accurately. For instance, under GDPR EU citizens have the right to request a data controller transfer their personal data to another data controller, while the CCPA requires businesses provide personal information in a readily useable format that consumers can transmit from one entity to another.
3. Update Consent Methods or Legal Basis for Processing: Update the methods via which consent is sought from individuals, or how the legal basis for lawful processing of that data is established. This should include assurances that the spirit of data protection principles has been respected. Both GDPR and the CCPA require notification to consumers of privacy practices (prior to or at time of data collection), as well as changes to privacy practices, and specific rights applicable to children.
4. Prepare for Subject Access Requests: Individuals can already request to see a copy of the information an organization holds about them. Under GDPR, businesses cannot charge EU consumers for access of data that may be held and must respond within one month of receiving the request; under the CCPA businesses are required to respond within 45 days. Additional consumer privileges include ‘the right to be forgotten’.
5. Plan for Notification: Under GDPR, data controllers are required to notify the national data protection regulator within 72 hours of a “breach.” This applies when the “data breach is likely to result in a high risk to the(ir) rights and freedoms.” California has a separate, preexisting, data breach notification law, separate from the CCPA, requiring businesses or state agencies to notify residents when their personal information has or has reasonably believed to have been breached “in the most expedient time possible and without unreasonable delay”. Should a single breach impact more than 500 California residents, notification must then be made to the state’s Attorney General.
6. Amend Your Contracts with New Obligations: The legal contracts and policies must reflect suppliers’ obligations to their clients, including consent and requirements. Unlike GDPR, the CCPA does not detail these requirements, but it does obligate businesses to direct their service providers and vendors to delete personal information from their records following a consumer’s request.
7. Revise Your Privacy Policies and Statements: Ensure that the privacy policies and statements to consumers appropriately reflect obligations. Policies should be concise, transparent, intelligible, and free of charge. This includes the tailoring of language to different age groups.
8. Designate a Data Protection Officer: A Data Protection Officer (DPO) or similar individual must be designated under GDPR. This applies to organizations that store a large amount of information about employees or other individuals. In particular, the rule applies to public authorities or those organizations that carry out large-scale monitoring of individuals. Though not similarly required under the CCPA, businesses are expected to implement and maintain “reasonable security practices and procedures” like malware defenses, penetration tests, and data recovery capabilities, among others. Designating a Data Protection Officer can help to ensure these practices and procedures are performing properly.
Both GDPR and the CCPA significantly impact organizations and entities collecting and processing personal data, and violations of either have the potential for considerable economic liabilities. With more legislation expected, every company should ensure they have a robust framework in place along with strong data mapping capabilities to both understand what information they’re collecting, by whom, how it’s being disclosed, and how best to ensure they’re responsive to both consumers and requirements under the law.