Preparing for Increased Data Privacy Regulations
Privacy continues to be an increasingly heated battleground with government regulation on one side and big tech on the other. GDPR kicked off the first major data protection and privacy regulation in the EU with its introduction in April 2016, but since then the United States and other countries are waging their own war to protect the needs of individuals.
For years, consumers have been willing to give their data away in exchange for some kind of service or benefit. Social media behemoths like Facebook, Twitter, Instagram, and now TikTok are the most obvious example of users trading personal information for service(s).
In June of 2018, the California Consumer Privacy Act (CCPA) was signed into law to enhance privacy rights and expand consumer protection for its residents; it was followed by the California Privacy Rights Act in 2020. Virginia passed its Consumer Data Protection Act (CDPA) in March 2021 and Colorado quickly followed with its own consumer privacy act in July 2021. While each state’s legislation differs slightly when it comes to specific definitions and requirements, it’s clear that privacy regulation initiatives are gaining traction across the United States. The International Association of Privacy Professionals (IAPP) has a U.S. State Privacy Legislation Tracker that shows the momentum growing from two states proposing privacy legislation in 2018 to twelve in 2019, sixteen in 2020 and twenty-one so far in 2021.
Without a standardized federal privacy policy in place, enterprises doing business across the United States need to manage information security to ensure adherence to a smorgasbord of variable definitions and requirements for data privacy. The growing volume of data captured for daily business transactions and customer interactions creates a formidable challenge: Organizations must navigate the patchwork of data collection, data tagging and data security processes to remain in compliance.
Preparing for the Future Requires an Effective IT Security Strategy
Understandably, organizations are looking to technology to help them automate compliance with these data security and privacy regulations. However, as any IT professional knows, rolling out any major technology solution can take three months or more—sometimes as much as a year—which leaves the business vulnerable to considerable fines and potential damage to brand reputation in the interim. And with new privacy regulations being introduced every year, typically with a two-year grace period window before actually taking effect, companies need options that can help them streamline and automate data privacy on an enterprise-wide scale.
Let’s look at an example. The Colorado Privacy Act, which passed in July 2021 and takes effect in July 2023, legislates that individuals have the following rights when it comes to their data: Right of access, right to correction, right to delete, right to data portability and the right to opt out. From a consumer protection perspective, this is the right thing to do, but how can this be technically achievable for organizations in a practical way?
The right of access requirement means organizations must give consumers the right to know whether a business is processing their personal data. To determine this, an enterprise must be able to locate and identify what personal data about the individual exists within its datastores; be it in the cloud or on-premises. The tools for finding and identifying personal data stored in different locations can sometimes be different, complicating an already tall order for businesses. To simplify and streamline the workload for IT security and data management teams, any option being considered must support both on-premises and cloud.
Next, the solution must have individual levels of control for each consumer to support their right to opt out. Teams responsible for managing data privacy controls need to seek out tools that provide automated, machine learning-assisted methods to discover and classify sensitive data and evaluate scalable, practical options for preventing unintended access. In addition, organizations must provide the ability to mask or encrypt data to enable safe, intentional access. Data privacy teams also need to be prepared for regulations changes and also be prepared to apply different rules and regulations when consumers are in different states.
Why Hedging Bets on Global Privacy is Risky Business
It’s clear that regulators are getting serious about penalties for privacy violations. GDPR penalties of €225 million were issued to WhatsApp/Facebook alone in September 2021 due to the lack of clarity on how personal data was being stored, what was used, what categories of data were being processed and for what purpose. Amazon’s €746 million euro fine in July 2021 was double any previous GDPR fine to date.
The average consumer today is much more aware of their rights to manage their personal data than ever before. Clearly, that is manifesting itself in the increasing number of data privacy regulations across multiple states. It is inevitable that controlling access to sensitive personal data will impact an organization’s ability to maintain customer trust, ensure regulatory compliance and avoid financial penalties. Enterprises need to strategically plan and evaluate technology options today to ensure their information security and data management initiatives can meet evolving requirements for today and tomorrow.
