Introduction
Data protection and privacy regulations are evolving rapidly around the world. As a business owner, it’s critical to understand how new laws like the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the US will impact your operations. Adapting to these new rules can be complex, but failing to comply carries significant risks. In this article, I’ll provide an in-depth look at key data protection legislation and explain the steps your business needs to take to avoid fines and protect customer trust.
Key Elements of Data Protection Laws
New data protection laws generally share some common key principles:
- Transparency – Requiring clear communication about data collection and use.
- Consent – Requiring informed and affirmative consent from individuals for data processing.
- Access – Giving individuals the right to access their data and correct inaccuracies.
- Restricted Use – Limiting data use to stated purposes.
- Security – Requiring reasonable security safeguards for personal data.
- Accountability – Requiring demonstration of compliance through policies, training, and documentation.
While specific requirements vary across regulations, these core elements aim to give individuals more control over their personal data.
Understanding the GDPR
The GDPR went into effect in the EU in May 2018. It applies to any business that collects or processes personal data on EU residents, regardless of the company’s location.
Here are some key facts about the GDPR:
- Expansive scope – Applies to data processing activities related to offering goods or services to EU residents, or monitoring their behavior.
- Heavy fines – Violations can result in fines up to 4% of global revenue or €20 million, whichever is greater.
- Breach notification – Breaches must be reported to authorities within 72 hours of discovery.
- Right to access – Individuals can request details on data collected about them and have inaccuracies corrected.
- Consent requirements – Freely given, specific, informed and unambiguous consent is required for data processing. Consent can be withdrawn.
- Data portability – Ability to receive one’s data and transfer it to another controller.
- Privacy by design – Services must be designed with privacy in mind from the start.
As you can see, the implications of the GDPR are significant. I’ll next explore exactly what this means for your business processes and systems.
GDPR Requirements for Businesses
To comply with the GDPR, your business needs to implement a comprehensive data protection strategy. Here are some of the key steps involved:
Audit Data Collection and Usage
- Document what personal data you collect, where it is stored, how it is used, who has access, and how long it is retained. Review vendor contracts.
Update Privacy Notices
- Privacy notices must clearly explain your data practices in plain language. If consent is required for any practices, it must be opt-in.
Facilitate Data Subject Rights
- Provide self-service portals for EU residents to access their data and exercise rights like erasure. Have processes to meet data access requests within 30 days.
Review Consent Procedures
- Existing consents may not meet GDPR standards. You may need to seek fresh opt-in consent under new rules.
Implement Data Protection by Design
- Apply techniques like encryption, anonymization, and aggregation to handle data safely and minimize risk.
Conduct Risk Assessments
- Formally evaluate risks to data security and privacy. Implement safeguards to mitigate identified risks.
Update Vendor Contracts
- Contracts must include GDPR-compliant provisions on things like cross-border data transfers and breach notification.
Develop Response Plans
- Document incident response plans and procedures to detect, report and investigate a personal data breach.
Train Employees
- Educate all staff handling personal data on GDPR responsibilities and procedures.
Designate a DPO
- For many companies, a Data Protection Officer (DPO) will need to be appointed to oversee compliance.
This is a high-level overview of key areas to address. GDPR compliance ultimately requires an ongoing commitment to align data practices with core privacy principles.
Understanding the CCPA
While not as expansive in scope as the GDPR, the CCPA establishes significant new consumer privacy rights that will impact many businesses. Key facts on the CCPA:
- Applies to large companies – Covers for-profit entities doing business in California that collect or sell consumer data and meet certain revenue/volume thresholds.
- Consumer rights – Gives California residents rights to know what data is collected and access/delete that data upon request. Also allows consumers to opt-out of sale of their personal information.
- Private right of action – Consumers can sue for data breaches if certain conditions are met.
- Attorney general enforcement – The California attorney general is authorized to bring enforcement actions against non-compliant companies.
- Expanded definition of personal information – Covers categories like household data, IP addresses, purchase history, location data, browsing history and inferences drawn from other personal information.
While smaller in scope than the GDPR, the potential combined impact of individual lawsuits and state enforcement makes CCPA compliance a must for many large brands.
CCPA Requirements for Businesses
Major steps needed to achieve CCPA compliance include:
Identify Data Collection and Sales
- Thoroughly audit first- and third-party data collection, usage and sale practices impacting California residents.
Update Privacy Policies
- Privacy policies must describe data practices, list categories of information collected, and explain consumer privacy rights under the CCPA.
Facilitate Data Subject Rights
- Implement mechanisms for consumers to submit access and deletion requests. Validate identities and respond within 45 days.
Allow Opt-Out of Data Sales
- Provide clear notice of any sales of personal information along with 1-click opt out. Third party sales also require opt-out.
Limit Use of Sensitive Data
- Ensure proper consent is obtained before collecting and using sensitive categories like health, biometric or location data.
Review Vendor Relationships
- Update contracts with service providers to address CCPA compliance, including obligations to assist with consumer requests.
Update Data Security
- Assess security safeguards and encryption practices to mitigate breach risks that could trigger private lawsuits.
Train Employees
- Educate staff on CCPA requirements and individual rights. Ensure customer service teams can address consumer inquiries.
California businesses should begin preparing now to meet CCPA requirements before enforcement begins in July 2020. Performing an in-depth data mapping, revising policies and procedures, and training staff takes significant lead time.
Conclusion
- New data protection legislation is re-shaping practices for businesses worldwide.
- Core principles focus on transparency, choice, access and accountability for data practices impacting individuals.
- Major laws like GDPR and CCPA introduce substantial new compliance obligations enforced by heavy fines.
- Achieving compliance requires an organization-wide commitment to aligning systems, policies and culture with privacy values.
- By taking proactive steps to comply now, your business can avoid substantial risks and reinforce customer trust.
The costs involved with compliance may seem daunting initially, but a focus on data protection provides long-term competitive advantages. With sound data practices, your business can demonstrate your commitment to do the right thing and gain an edge with privacy-focused consumers.
