Click to learn more about author Gerald Beuchelt.
Two years have passed since the inception of the General Data Protection Regulation (GDPR). This legislation placed the privacy conversation front and center in capitals and board rooms around the world. Since then, we have seen a heightened sensibility around data privacy and security with over 100 countries and states rolling out individual regulations.
The new data protection regulations were meant to change the status quo for how companies handled consumer data, but the COVID-19 pandemic has undoubtedly changed the data landscape. Major disruptions in business continuity caused companies to quickly pivot to online services, as well as move employees to remote environments. This increase in online activity raises more questions on how regulations will be adjusted in the months to come.
The Data Privacy and Protection Landscape
Thanks to the GDPR, both consumers and businesses started to acknowledge the need to improve how data is sourced, maintained, and secured. Although the increasing number of regulations demonstrates the willingness of governing bodies to advocate for consumers, the complexity of all the different mandates also creates challenges.
In the case of the U.S., the California Consumer Privacy Act (CCPA), which was due to start enforcements on July 1st, is the strongest privacy rights act we have so far. Just like the GDPR, organizations need to think about what this will mean for their current data compliance practices. Here are a few questions organizations should be considering.
Who Leads the Efforts?
Data protection and privacy have been siloed within the company for a long time. Now with the added complexity and all the different elements from new regulations, it is time to take a holistic approach, one that involves inter-department communication. Although every company is different and will need to adjust the team, a good starting point is bringing IT, security, human resources, and marketing together, keeping an open line of communication led by the legal team. The latter has the expertise to construct a framework that encompasses the specific needs of the business, employees, and consumers, and can match all of those with laws and regulations’ requirements to be compliant and avoid liabilities. It is easier said than done, but communication is paramount in order to know what data is stored and for how long, which data is essential, how to maintain it, and when to delete it.
How Can We Ensure Compliance with the CCPA and Other Regulations?
The complexity of restrictions and geographies have a big impact on how organizations stay compliant. We are witnessing more and more fragmentation as different regulations are approved and are not uniformly applied. For example, local businesses can adhere to their state regulation, but if they’d like to expand, they’d have to address other potential regulations in other regions. Nationwide or global companies are likely to adhere to the most restrictive norms, trying to ensure they can maintain compliance everywhere they do business.
What Budget is Needed to be Compliant and Prepare for Any Setbacks?
In the past few years, businesses have had to invest deeply in new processes and technologies to comply with GDPR. For small to medium-sized businesses operating with fewer resources, this can result in added challenges for implementation and compliance. With CCPA fines starting with civil penalties of up to $7,500 per violation and statutory damages related to breaches ranging from $100 to $750, it’s paramount for organizations of all sizes to make the investment, at least in key items like a data audit, technology that helps data classification and breach notifications, and obtaining consent.
Is This the Start of a New Way of Thinking About Data Privacy?
Although we haven’t seen changes to current regulations, enforcement seems to have slowed down. This is not necessarily because regulations have become softer or they have forgotten about the importance of privacy, but more so because the entities managing those regulations are facing the same challenges as every other company. Limited resources mean limited ability to enforce. The shift to remote work and access to information for regulators have had an impact on their priorities, minimizing the monitoring and enforcement due to fewer people to act on it.
Consumer’s Data Management has also shifted in the past few months. The pandemic has created a new standard for safety all over the world. Public health surveillance and maintaining people’s safety has become the main priority for every country. We still need to see how regulators will address the collection and record-keeping of sensitive information by governments due to Coronavirus and how they will retain information for posterity.
Like everything else, our perception around data and privacy is changing and will be very different when we emerge at the end of the COVID-19 crisis. But one thing that shouldn’t change is how we approach data inside the company, understand it, and also understand how regulations in many places can affect the business.
It will be interesting to see how regulators continue doing their work in the coming months. Health will continue to be at the top of everyone’s minds, and in light of this, many wonder how and if privacy requirements will affect governmental agencies. Will they be exempt from any repercussions, and if so, what precedent would this set for the future? We will have to wait and see. In the meantime, let’s not forget that the CCPA is already here, and everyone within the company should become a data gatekeeper.