Different countries, states, and industries are enacting privacy regulations that are significantly increasing the requirements for organisations that handle data as a part of their operations. Evolving responsibilities, liabilities, and fines for data breaches and non-compliance are increasing every year. This article will shed light on how to manage the changing regulatory landscape and provide ideas for how to proactively prepare for future changes.
Core Data Privacy Law Concepts
The world of data privacy legislation compliance is an incredibly complex web that can be overwhelming to process when viewed granularly. To better understand data privacy laws, it helps to know the common intents they tend to share.
Though the exact wording may vary slightly per each legislation, data privacy laws will generally cover terms of a similar nature.
- Personally Identifiable Information (PII): Any information that can potentially be used to distinguish an individual’s identity. This includes (but is not limited to) names, addresses, medical records, and in the case of GDPR even internet cookies used in web tracking.
- Data Subject / Data Principal: The individual that will have their data collected. They could be a customer, website visitor, or another sort of consumer.
- Data Controller / Data Fiduciary: The entity that acts on behalf of another entity to determine the purpose of the data collection and how it will be processed.
- Data Processor: The third party that processes the data collected by the data controller.
Common Themes in Data Privacy Laws
Data privacy laws are enacted to give consumers greater protection, awareness, and control over their data. The exact mechanisms for how this goal is accomplished may vary, but it remains the principal motive for governments to impose data privacy regulations.
As informed by current privacy legislation such as CCPA, GDPR, and HIPAA, data privacy laws can be expected to come with a combination of stipulations from the below list:
- Consent: Whether opt-in or opt-out, informed or implied, consent will be a key determiner for compliance with future data privacy laws. When feasible, the best practice will be to ensure that data subjects are provided with the option to give informed consent before their data is collected.
- Responsibility for Third Parties: Data controllers relying on a third-party data processor will more often than not be accountable for breaches of the data. Controllers must take great care to audit any third-parties they intend to share data with.
- Data Breach Reporting: Entities that store sensitive data will continue to be responsible for the timely reporting of any breach of that data.
- Penalties: Non-compliant organisations will face penalties in the form of fines or lawsuits from the governments and individuals that entrust the entity to act responsibly in the handling of PII.
Complexity With Overlapping Data Privacy Laws
Preparing for the future of data privacy is no small feat, particularly as a mix of local, federal, and cross-jurisdiction data privacy legislations develop and increase the complexity of compliance. Organisations that become subject to overlapping data privacy laws will need to maintain hyper-vigilance of their situation to ensure they perform their due diligence.
While the CCPA has exemptions for organisations that are regulated by HIPAA, a California-based healthcare organisation could find aspects of their operations subject to a mix of CCPA, HIPAA, and GDPR. Further regulations that begin to apply to such an organisation will be difficult to manage if jurisdictions do not develop regulations and amendments with existing legislation in mind.
Steps to Prepare for Future Data Privacy Laws
Preparing for the future of data privacy starts with meeting the needs of the present. Proactive planning, leveraging external specialised resources, and modifying operations to prioritise the protection and responsibility handling of data will assist greatly for preparing for the future.
Appoint a Data Protection Officer (DPO)
GDPR requires many organisations to appoint a DPO to monitor the organisation’s data protection compliance and advise the organisation of its data protection obligations. Organisations that are not required to appoint a DPO may still wish to invest in a similar role or service that specialises in data security and privacy compliance.
Privacy by Design
The key to easing the growing pains of future data privacy laws is to make privacy a priority from the start. By making privacy the default operation, organisations that rely on data will be far more agile in responding to developments in legislation.
A Privacy by Design approach follows 7 foundational principles:
- Proactive and Preventative, Not Reactive and Remedial
- Privacy as the Default
- Privacy Embedded into Design
- Full Functionality – Privacy and security work together without trade-offs
- End-to-End Security – security through the entire lifecycle
- Visibility and Transparency
- Respect for User Privacy
By prioritising privacy, organisations will qualify for competitively advantageous compliance certifications such as Privacy Shield and Privacy by Design.
Policies & Procedures
Organisations must thoroughly plan and understand how they interact with data as a part of their operations. These plans should be reviewed quarterly to ensure they are compliant with the latest developments.
Areas of focus:
- Incident Response Plan: Data breaches are a matter of when not if. A detailed incident response plan details the responsibilities and procedures to be carried out in the event of a data security incident.
- Data Minimalism: With the emphasis on data processors and controllers having responsibility for the safe handling of data, minimising the amount of data that is processed and kept is a must.
- Data Auditing: To properly plan for evolving data management needs, organisations need to thoroughly understand the role that data has in their operations.
Data Classification and Categorisation: Following the data audit, organisations will better understand their data processing pipeline and be in a position to identify the nature and sensitivity of the data they are responsible for. This process will help greatly in the event of a Data Subject Access Request (DSAR).