This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

The landscape of data privacy law has changed significantly over the last five years. With the General Data Protection Regulation (GDPR) going into effect in the EU in May 2018, data privacy compliance obligations forever changed for companies around the globe. For the first time, companies had to recognize new rights for consumers regarding their personal and sensitive data or face serious penalties.

Now, the next major legislation to impact data privacy obligations, the California Consumer Privacy Act (CCPA), is set to go into effect as we enter 2020. Yet again, many companies are rushing to review their compliance measures. And with no fewer than 16 additional privacy laws currently under consideration in states across the nation, companies need to be positioning themselves for ongoing compliance as the new way of doing business.

Rather than trying to institute changes to comply with every new privacy law as it emerges, a better approach is to view data privacy as an overall framework and adopt a holistic response to compliance with the built-in flexibility to constantly adapt to an ever-changing legal landscape. By doing so, companies will be well positioned to create systems that customers trust, employees understand and auditors respect.

|

Data Privacy Laws Affirm Consumers' Control of Personal Data

While the specific requirements of the various privacy laws may differ slightly, the existing laws and those to come share the same underlying drive for increased protection of data and consumer rights. Lawmakers are now giving consumers greater control over their information, particularly as some of the world's largest corporations have experienced massive data breaches or been accused of improper use of data.

The passing of the GDPR and CCPA has handed consumers new powers of ongoing ownership of data and an increasing awareness of its value. Those responsible for building and maintaining data management systems that are compliant with data privacy laws should approach decisions with an aim of thorough and broad support for consumers as data owners.

Right to Know

Under both the GDPR and the CCPA, individuals have the right to know exactly what data companies have collected about them, as well as why it's collected and anyone with whom it will be shared or sold. As a result, companies need to have clearly stated privacy policies that explicitly outline what data is being collected and for what purpose.

Right to Opt Out

The GDPR offers consumers the right to restrict the processing of personal data, and the CCPA offers a specific opt-out on the sale of personal data.

Data Portability

The GDPR specifically requires that organizations have the ability to provide a consumer with individual personal data upon request or to a second data controller.

The CCPA does not enumerate an explicit right to data portability, but on request, a consumer has the right to receive personal information delivered by mail or electronically. If delivered electronically, information must be portable and in a readily usable format.

Right to be Forgotten/Right to Deletion

Both the GDPR and CCPA, as well as many new data protection regulations on the horizon, require organizations to delete personal information upon consumer request or when that data is no longer needed to conduct business.

|

Know Your Data

Once you're confident in your data collection and storage processes, it's crucial to get to know your data — what you have, where it is and how it's stored. Compliance with GDPR or CCPA obligations is nearly impossible if you can't efficiently access the entirety of your data exactly as needed.

Trying to organize data across disparate systems and platforms is a losing battle for most companies. Instead, you need to store and be able to access your data according to its owner, origin, location, governing regulation or other relevant criteria. The best way to achieve that goal is by creating data maps and maintaining them as your universe of data grows and changes.

Data mapping is the most effective way to standardize your data across all your global sources so you always know exactly what you have and where it is if you need to get to it in order to comply with privacy regulations. Data mapping will also tell you who is using your data, how and why, as well as if or when a particular piece of data was moved or destroyed. AI-powered solutions can capture the necessary information to create a comprehensive data map in far less time and with far greater accuracy than manual processes allow. Data maps put you in an optimal position to comply with GDPR and CCPA provisions that require you to always be able to demonstrate that you know your data and have a process for properly handling it throughout its life cycle.

|

Know Your Data Processes

The more data you have, the more challenging it becomes to maintain a clear, updated picture of who owns, controls, manages or can access any given piece of that data.

To be in full compliance with applicable privacy laws, companies need an effective way of handling new data in order to identify the date of consumer consent for collection, the method of consent and records of any requests for access to that data, restrictions on it or deletion of it. You need to develop a system that will analyze all your data so you know what is there, where it is, why and how it was collected, how it has been or will be used, how long you intend to keep it and to whom it's sold or shared.

Today's AI-powered solutions exist to help companies organize their data by source and transform it into a usable form that provides all the consent and access information the laws require. Systems that incorporate machine learning and other technologies have the ability to sort through massive volumes of personal data to efficiently identify and organize it in a way that manual processes could never match, showing clear proof that companies are meeting their data protection obligations.

Control Access to Personal Data

Given that the data protection laws are aimed at ensuring data subjects' privacy, it should come as no surprise that all the major data privacy regulations have strict requirements regarding who should be accessing the data and for what purpose. The GDPR and other regulations require companies to maintain clear records of their data-processing activities, and that includes who had access to personal data, who was involved in the processing of that data and what the intent of the processing was.

The best way to meet your compliance obligations is to always know who has the ability to access your data and restrict that access to only those employees responsible for data processing and upkeep. Furthermore, that restricted list of employees should be fully trained — and regularly retrained — on your company's compliance obligations under the various data privacy laws.

|

Establish Data Maintenance Procedures

Once you understand the far-reaching obligations of the GDPR, CCPA and other privacy regulations, it's important to implement data maintenance procedures that are broad enough to comply with all of them, not just each new one as it goes into effect.

First, you need clearly defined roles for data handling and management, with support from the highest levels of the organization. Under the GDPR, with a few exceptions, companies must appoint a data protection officer to perform certain key data maintenance tasks, report to management and be accessible when data subjects have questions or requests regarding their personal information. Companies should also establish larger, cross-functional teams that are responsible for establishing organizational policies for data protection, which should include new employee training, ongoing retraining and quarterly audits to ensure that policies are being followed.

In addition to auditing your internal processes, you should regularly audit your third-party partners and vendors that might have access to your data and ensure that their procedures are also in compliance. Third parties are a potential point of exposure, and their access to your data — even essential access — can create serious security implications. Knowing where your data is at all times includes keeping tabs on which third parties have access to it and what they're doing with it.

Finally, you should continually review and revise the notices on your website that tell data subjects how, when and why their data is being collected, their rights to opt out or have their data deleted and how long you plan to keep the data. Given the serious regulatory implications of handling personal data, you should never hold on to more data than you need or keep data longer than is essential. Store only the data that's necessary to do business — the last thing you want is to be found noncompliant for data you don't even need.

|

Take a Holistic Approach to Secure Personal Information

The requirements of the various privacy laws are extensive, and while they overlap in large part, each law has its own nuances that can be difficult to track. For this reason, the most effective plan is to incorporate a holistic approach that adopts extensive security measures as the established way of doing business — what the GDPR refers to as data protection by design and default.

Incorporating top-notch data security measures is the best way to protect your organization's business data while at the same time safeguarding consumer data as required by law. Data should always be encrypted, stored in the same way and archived or deleted according to your established procedures. Your company should constantly monitor for malware and other cybersecurity threats, and all apps, software and systems should be regularly updated to eliminate unnecessary security risks. Private or third-party cloud hosting is one effective way to ensure encryption and the ability to monitor data handling at all times.

Employee Training and Communication Ensure Compliance

Employees are your first line of defense in the personal data protection effort. In most companies, employees in sales, marketing, customer support, accounting and other departments have contact with consumers and their data.

Though neither the GDPR nor CCPA specifically calls out employee training requirements, the development of a knowledgeable, privacy-aware workforce is imperative. An effective training program can include data privacy law education, internal data protection policies and processes, cybersecurity awareness and incident response planning. With this approach, the organization will be better prepared for holistic compliance with the data protection regulations of the GDPR, CCPA and any future state and global data privacy regulations.

*****

Tomas Suros is a technology advocate working at the intersection of IT and client consulting. With AbacusNext since 2004, he currently serves as chief solutions architect, guiding firms through the process of identifying forward-facing technology options and ensuring the successful implementation of a tailored solution.