For nearly two decades, the data economy has hidden behind a “digital curtain” that cloaked organizations’ sometimes dubious practices from lawmakers and the public. It was the wild west, where companies could do whatever they wanted with consumer data. That curtain has since been lifted as a result of consumer mistrust, government regulations, and market forces.
Privacy is top of mind for consumers and a priority for government. As such, organizations that handle personal data are having to take action to affirm their commitment to data security and comply with a growing set of regulations.
For years, organizations made the rules when it came to data privacy. But in the wake of costly data breaches, and sometimes at the behest of consumer advocacy groups, governments are steadily increasing their focus on securing data privacy.
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) is designed to protect the data of European Union residents. It is an update to the outdated Data Protection Directive, enacted in 1995. Unlike the directive, which every EU nation could customize to their own country, the GDPR requires all 27 member states of the EU to comply with the binding regulation.
The problem with the earlier directive was that it failed to address how data is stored, collected, and transferred in an age where information is increasingly digitized. Simply put, it didn’t keep up with the speed of technological advancement, so new regulation was required. Failing to properly comply with the GDPR can be extremely costly, and some of the world’s most recognized companies have been slapped with hefty fines when they were found to have broken the regulations:
- Amazon was fined a whopping $877 million for issues related to cookie consent.
- WhatsApp was slammed with a $255 million fine for failing to properly explain its data processing practices in its privacy notice.
California Privacy Rights Act (CPRA)
An evolution of the 2018 California Consumer Privacy Act (CCPA), the new California Privacy Rights Act (CPRA) began as a ballot initiative promoted by the data privacy advocacy group Californians for Consumer Privacy. The group gathered enough signatures to qualify its proposition for a new privacy law on the 2020 ballot. California voters approved Proposition 24, which set the stage for CPRA to become state law.
The CPRA is a data privacy bill that takes effect on January 1, 2023 and becomes fully enforceable on July 1, 2023. The new CPRA is more comprehensive than the CCPA. It strengthens data privacy rights of California residents, tightens business regulations around the use of personal information (PI), and establishes a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA).
Inspired by California, Colorado and Virginia have also signed privacy bills into law. More state legislation is expected on the horizon as all but 11 statehouses are discussing bills at some level to govern the use of personal information.
Personal Information Protection Law (PIPL)
On August 20, 2021, China passed the Personal Information Protection Law (PIPL) which provides Chinese citizens privacy protections and rights over their personal information. The comprehensive privacy and data protection law took effect on November 1, 2021.
The legislation comes as China increases regulatory scrutiny on technology companies and other entities handling large troves of sensitive public data. As an example, the government cracked down hard on rideshare company DiDi because it wasn’t satisfied with its data security and privacy practices.
While some refer to the PIPL as China’s GDPR, the truth is that the PIPL introduces requirements that make it even more stringent than the GDPR. For example, the PIPL allows next of kin to exercise the rights of deceased persons, and it introduces personal liability for some violations.
How Your Organization Can Achieve and Maintain Industry Compliance
Organizations working with customer data must be aware of current privacy protection standards and frameworks in order to effectively achieve and maintain compliance. Here’s how.
ISO 27701 Certification
ISO 27701 is intended to help organizations protect and control the personally identifiable (PII) information that controllers and processors handle. This international standard streamlines compliance obligations by integrating privacy into an organization’s information security management system.
Privacy Impact Assessments
The E-Government Act of 2002 requires agencies to perform privacy impact assessments to evaluate systems that collect PII and determine whether the privacy of that PII is properly secured.
Data segmentation is the process of grouping data into two or more subsets based on use cases, types of information, and sensitivity of the data. Following segmentation, organizations can create security parameters and authentication rules to limit access to the data to only authorized personnel. For example, covered entities (as defined by HIPAA) and their business associates can apply data segmentation to PHI.
GDPR Gap Assessment
Failure to comply with GDPR can result in penalties and significant fines. To help your organization best prepare for GDPR compliance, A-LIGN offers a GDPR Gap Assessment. During this assessment, our auditors review your organization’s current data protection and privacy environment and provide a detailed gap assessment to help your organization achieve compliance.
Consumer and Market Driven Actions
Organizations are tasked with responding to changes in the data protection landscape driven by consumer advocates and market forces in a timely (and visible) manner.
Apple Leads with iOS Privacy Changes
Last year, Apple’s update to its iPhone operating system gave users the ability to opt out of data harvesters’ ability to track them across the apps they use on their phone. It was a blow to Facebook’s parent company, Meta. The tech company relies heavily on ad targeting and lost $10 billion last year as a result of users opting out, and expects to lose $10 billion more this year. Clearly, consumers want more privacy controls, which explains why Google is following Apple’s lead. The Android operating system maker is giving app developers two years to prepare for the new privacy restrictions.
Data cooperative refers to the voluntary collaborative pooling of personal data for the benefit of the group or community. After all, why should trillion-dollar Big Data companies be the only ones to benefit from the wealth of information that Big Data provides? Data co-ops give communities of individuals control of their data and negotiating power when it comes to monetization. It also drives common insights for the benefit of the community, such as data about community public health that can be used to address disparities in how healthcare (i.e., vaccines, testing, etc.) is distributed.
Taking Steps to Achieve Compliance
Data privacy continues to drive conversations and even the actions of consumers, and governments are responding to calls for regulating how personal data is collected and used.
Compliance with data protection laws is mandatory, and failure to adhere to evolving legislation will lead to lawsuits and fines. In fact, last year, 27 privacy bills were proposed protecting PII. It will require constant vigilance to stay compliant with all the news laws that emerge.
A-LIGN can help your organization adhere to regulations and affirm to clients that you take data privacy seriously. As a leading global cybersecurity and compliance firm, we are the industry’s trusted one-stop compliance for all cybersecurity and privacy needs. In addition to offering ISO 27001 + ISO 27701 certification, our services include data protection analysis which can determine whether your organization complies with government regulations including GDPR, CCPA/CPRA, and HIPAA.