understand what kinds of personal data or other sensitive data are being collected, as well as how they are being managed and protected.
With the introduction of data privacy laws such as the European Union’s General Data Protection Regulation and the California Consumer Protection Act, organizations are being told to reduce the risk of misuse of personal data by collecting only
the data required for business purposes and then deleting or anonymizing the data when it is no longer needed.
Global Data Privacy Laws
New and revised laws continue to emerge in response to a need to understand what sensitive data is being collected and maintained, and how such data is being managed and protected.
- General Data Protection Regulation (GDPR) – Effective May 25, 2018, GDPR is specific to the European Union (EU). Penalties for noncompliance are the greater of up to €20 million or 4 percent of the organization’s global revenue. Since
May 25, 2018, there have been 206,326 cases reported by supervisory authorities from 31 European Economic Area countries, with 94,622 of these related to complaints, while 64,684 were initiated by data breach notification. Fifty-two percent of
these cases have been closed, and the total amount of fines currently imposed is €55,955,871 (equivalent to over $63 million).
- California Consumer Privacy Act of 2018 (CCPA) – Effective Jan. 1, 2020, the CCPA enforces enhanced privacy rights and consumer protections for residents of California. Noncompliance is subject to civil penalties of up to $2,500 per violation
and $7,500 per intentional violation.
- Among other states, Washington is holding public hearings on the Washington Privacy Act. Vermont recently introduced a new data broker law. The Utah legislature passed a bill to protect electronic data that individuals keep with third parties.
- Australia proposed changes to its Privacy Act that would increase penalties and funding, while Egypt approved a draft law to protect personal data that aims to be implemented in the country’s constitution. Brazil enacted the Brazilian General
Data Protection Law, which will go into effect in August 2020, that is largely aligned with the GDPR. Spain published Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights, which adapts the Spanish legal system
to the GDPR and further provides specifications or restrictions of its rules as explained in the GDPR.
The evolution and refinement of data privacy laws will continue to create serious challenges. Here are just some of the common pitfalls:
- The ability to ensure that procedures, policies, and technologies are dynamic enough to continue to be able to adhere to ongoing amendments to data privacy laws.
- The ability to conduct and perform due diligence when adopting new technologies to better serve customers, while also mitigating risk.
- The ability to continuously monitor and audit controls to ensure that they work effectively according to accepted standards.
Will There Be Federal Regulations?
The efforts to develop similar laws in the United States are ongoing. The U.S. Senate Committee on Commerce, Science, and Transportation has elected to gather small-business perspectives on a federal bill. This is critical because any resulting bill cannot
take a one-size-fits-all approach. The GDPR and the CCPA have been discussed as a foundation; however, certain aspects of each have come under scrutiny. A lot of work still needs to be done before a federal bill is passed. One consideration is whether
the Federal Trade Commission has the necessary resources to oversee and enforce such a federal privacy law.
Organizations need to take responsibility and act now to understand what data they are collecting, using, and disseminating. Here are some steps to help establish a foundation for a strong data governance and privacy program:
- Continuously assess the latest frameworks, standards, and best practices for data privacy and governance.
- Implement a strong data governance and privacy framework (see below).
- Deploy resources (technological and personnel) to identify the use of sensitive data.
- Understand the latest information related to critical vulnerabilities (i.e., US-CERT).
- Establish and continuously audit and advance the internal control framework related to data privacy.
- Educate personnel about their responsibility for data privacy and protection, and about the data life cycle (how data is collected, used, stored, disclosed, archived, and destroyed).
An effective data governance and privacy program should address the following:
- Privacy management – Clearly define policies and procedures to address usage and guidance of personally identifiable information. Also, focus on providing training and awareness at all levels (especially for those who process or manage sensitive
data). Regularly conduct a privacy impact assessment.
- Data management and collection – Ensure that the use, processing, storage, and retention of personal data occurs for legitimate business purposes only, that personal data is clearly defined, and that there is the ability to anonymize such data,
if required. Also, ensure that only authorized personnel have access to electronic and physical records.
- Data security – Ensure that access to personal data is defined and enforced throughout the organization, including the transfer of data. Risks and threats need to be evaluated, and systems need to be patched regularly.
- Third-party compliance and contractual agreements – Only authorized third parties should process personal data, and it should be in a manner that is known to your organization and the data subject. Vendors need to be assessed to ensure that
they have effective privacy and security controls in place to protect personal data.
- Incident response and escalation – Procedures must be in place to respond to data breaches or data security incidents, including what information needs to be collected, shared, and reported related to the potential or confirmed breach.
Unauthorized or careless processing of sensitive data can cause great harm to individuals, and there is reputational and financial risk to organizations that misuse such data. Changes to support customer data privacy do not have to be hard, but they should
begin with awareness and oversight.
Eric Fair, CISA, CBCLA, is manager, IT risk advisory, for Schneider Downs & Co. Inc. in Pittsburgh. He can be reached at firstname.lastname@example.org.