Companies need to collect information on their audience, prospects, clients, and workforce because it allows them to make better products, better manage their offering, and have more efficient operations. They need to mine this information to be competitive. However, once information about people (or "personal information") has been collected, it is very difficult to ensure that it will not be misused or abused, be it for manipulation, surveillance or financial gain purposes.
Governments, worldwide, have had to step in and attempt to regulate the collection, dissemination and retention of personal information. In the business context, these laws aim at establishing a balance between companies' business or commercial needs and individuals' expectation to keep the details of their lives private and secure.
Today, most businesses struggle to meet a deluge of data privacy and cybersecurity laws, regulations, and guidelines. Those that fail to meet these laws risk investigations and enforcement actions by government agencies, as well as lawsuits by consumers or customers. This may translate into reputation disasters and significant expenses. US and foreign regulators have clearly indicated that they are ready to prosecute infringers, and assess substantial fines.
This article provides a "user's manual," which explains the unique structure of most data protection laws worldwide, and provides seven tips, to help make sense of the plethora of obligations created by these laws.
The global privacy landscape
Over 130 countries have adopted laws that incorporate privacy and security requirements ("data protection laws"). Most of these laws have common elements because they are based in significant parts on principles identified and established by the OECD, the Organization for Economic Co-operation and Development, in 1980 (updated in 2013). Among other things, these principles recognize that to enable international commerce, countries should provide levels of protection of personal information that are generally compatible with each other.
The United States is one of the few developed countries that does not have a national law that addresses the protection of personal information.
Most countries, including members of the European Union, have determined that the United States fails to provide "an adequate level of protection" for personal information and privacy rights, which has caused frequent tensions, and hampers international relations. The pressure to pass such adequate laws is increasing.
The GDPR effect
The adoption of the EU General Data Protection Regulation (GDPR) was a watershed moment; the most important new data protection
law in 25 years. It has been a catalyst to a wave of new data protection laws, such as those of Brazil, Thailand or Uzbekistan. Numerous US companies were surprised to find out that their interaction with residents of the European Union made them subject to GDPR; they rushed to attempt to meet GDPR requirements, with different levels of success.
Privacy in the United States
California adopted its Consumer Protection Act (CCPA) just weeks after GDPR entered into effect, with a goal of providing California residents with rights that resemble those provided by GDPR. The adoption of CCPA, in turn, pushed the country into privacy frenzy. A dozen states drafted copycat bills. Nevada passed amendments to its Consumer Privacy Act, which take effect on October 1, 2019. CCPA enters into effect on January 1, 2020. New York might be next. The expected inconsistency between upcoming state laws, is creating significant pressure for Congress to enact harmonizing privacy legislation.
The privacy tsunami
With the plethora of data protection laws, worldwide, businesses are facing a tsunami of financial, technical and organizational obligations that hamper their operations and drain their budgets. Except for regulated entities, such as financial institutions or healthcare organizations, most US businesses are ill-equipped to face the never-ending game of Privacy Law Whack-a-Mole that results from doing business in more than one state or country.
Seven tips to address the compliance challenges
Facing the global privacy law puzzle can be challenging. However, because of the significant influence of the OECD principles, most data protection laws, worldwide, have striking similarities. Taking the time to design a structure that addresses these similarities will prove useful. This base structure will serve as stepping stone to address the differences between those laws. Here are seven tips.
1. Understand the essential definitions
"Personal information" is not necessarily what you think it is. The definition has evolved over time. While definitions vary, most recent laws tend to use a very expansive definition; IP addresses, cookies, or customer profiles that are inferred from other data are now deemed "personal information" in some cases. When thinking of the protection of personal information, be prepared to throw a wide net.
2. Find out what you have and what you do with it
Data protection laws create rules for the handling of personal information. If you don't know what personal information you have and what you do with it, you cannot determine how a law affects your company. You must understand – and be able to communicate – the details of what information is collected, used, or transferred to others, where it is stored, how long it is retained, or whether it crosses borders. That understanding will help create a map of the company's activities, which will help identify legal obligations, and establish a plan to approach the applicable data protection law.
Keep in mind that information could be collected, used, shared in myriad ways: from a website, through mobile applications, in purchase orders, job applicants' résumés, or call center records. The information could be shared with, or disclosed to, numerous entities, service providers, business partners, and their respective service providers, business partners. Make your search as broad as possible. Make it often; things change frequently.
3. Communicate clearly what you do
Most data protection laws require entities that collect, process or share personal information to disclose their practice by publishing a privacy notice. These disclosures are expected to be clear and conspicuous, and easily understandable by everyone. The data protection laws , worldwide, have different requirements for the nature and content of these disclosures. Pay attention to them. Your published notice is your window to the world. Make sure it is accurate and meets your transparency obligations.
4. Be prepared to respond to individuals' requests
Most data protection laws grant individuals rights, such as the right to know what data you have about them, to have incorrect data corrected, to have illegally collected data removed, to block certain uses of information, or to have certain information removed or erased. You will have to understand the nuances of each specific right.
Your company must be able to respond to individuals' requests to exercise their rights within a limited time, (usually 30 to 60 days from the requested action), or provide good reasons why the request cannot be fulfilled. You will have to build or acquire the proper technologies, applications, record keeping systems and identity verification means that allow your company to verify the identity of the requesting party, and respond timely to their requests to exercise these rights.
5. Expect your company to have operational obligations
Most data protection laws require those that collect or process personal information to be data stewards and prevent harm to the individuals or their personal information. Your company is responsible, in whole or in part, for the data it collects, receives, processes or shares, and it must protect it.
This is achieved, for example, through data protection impact assessment, conducted ahead of a project, to determine the potential risks to the affected individuals. Preventing harm is also achieved through appropriate security measures that ensure confidentiality, integrity and availability of the data, and establish a structurcture for identifying and reporting data breaches. Harm could be caused by third parties, and therefore data protection laws require entering into contracts with third parties who may have access to the data to require they use the data only as requested, and adopt proper security measures.
6. Train, train, train your personnel and contractors
Personal information will be accessible to your employees and contractors. Most modern data protection laws require that personnel be trained. People who are adequately trained will play a significant role in making your company succeed and avoid serious errors. Treat them well, train them often; things change.
7. Return to #1, reevaluate, and update your tools and strategy
The privacy and cybersecurity legal and technical frameworks are constantly evolving. Business models change, technology changes, laws change. By the time a project is completed, it is necessary to revisit the privacy and security assessments, the safeguards, and the training attached to it as well as the disclosures made about it. For this complex ecosystem to work, it needs close attention, frequent audits, and appropriate enforcement. You have to spend time testing, auditing, monitoring, improving, and adapting your compliance structures.
In an era of internet and international communications, businesses tend to interact with individuals in multiple states or countries. Meanwhile, the number of privacy and cybersecurity laws, worldwide, keeps increasing. These laws have numerous similarities, but also important differences.
To be efficient and agile in an ever changing legal, economic and technical framework, businesses should consider approaching their privacy and cybersecurity obligations by focusing first on the common elements of the data protection laws that apply to them so that they can establish the essential technical and administrative structures to meet these common requirements. They can then focus, on a case-by-case basis, on the unique elements of the specific laws that apply to them. By taking advantage of the common base structure, and using it as a stepping stone to address these other requirements, they will be more efficient, save time and money, and have better chances to meet the applicable data protection laws.