With the passage of the Digital Markets Act that regulates harmful content online, the EU is once again making waves in the tech world. Notably, the EU’s GDPR has introduced privacy rules to tech companies worldwide since its adoption. Now, the US Congress is also making noise around enacting legislation on data privacy, with California specifically passing its own that went into effect in 2020. These moves are proof that compliance in the age of big data can no longer be an afterthought.
However, risk and compliance functions are typically the last to evolve with the digital transformation, which can cause major setbacks for business leaders and organizations. Especially in the information age, where everything involves data.
How has the data privacy landscape changed over the past few years?
The data privacy landscape has grown significantly over the past few years due in large part to the introduction of the GDPR four years ago and subsequent similar legislation across the globe. Data privacy programs went from “paper,” “check-the-box” programs to significant risk areas that need to be addressed by company management. The GDPR served as a spark to get privacy on the corporate executive agenda and also to incorporate privacy considerations into business processes (e.g., privacy by design), which was less likely to happen before.
How effective are regs like GDPR and CCPA?
Because businesses are subject to potentially significant fines if they fail to comply, data regs have been very effective in causing companies to step up their efforts to protect the personal data of their employees and customers. Compliant data practices and transparency surrounding those practices build trust with prospective stakeholders and improves brand image. Whatever the motivation, improved data habits reduce the likelihood of privacy breaches and misuse of personal identifiable information.
What are the challenges that orgs are facing re: data privacy regulation?
In addition to the obvious costs of complying with a myriad of ever-growing compliance regulations, people and human error create the biggest challenges. Threat actors rely on the human factor to break into a company’s networks and gain access to data. And far too often they succeed by using sophisticated phishing or other email account compromise scams that cause individuals to click on malicious links or attachments they think come from someone they trust.
One way to mitigate the people risk is by training employees on data privacy and cybersecurity policies, procedures and best practices. In today’s remote/hybrid workplace, all employees can benefit from ongoing training and education on how to safely handing data, how to spot suspicious emails, texts, calls and social media posts, and how to report potential data breaches or other issues. What is missing from the reg landscape currently?
Despite the number of significant data breaches impacting Americans, the U.S. still has a hodgepodge of sector-specific laws. Five states have enacted consumer data privacy laws (California, Colorado, Connecticut, Utah, and Virginia), while a handful of others are contemplating proposed bills which may or may not become law.
The Federal Trade Commission is entertaining potential rules that would penalize companies that suffer data breaches due to poor cybersecurity protocols and punish abusive commercial surveillance practices. The Consumer Financial Protection Bureau issued cyber related guidance to financial institutions and indicated that failure to protect personal financial data might violate federal consumer protection law. It is unclear, however, whether the FTC and CFPB have the authority to regulate data privacy. The U.S. Congress is currently considering a federal data privacy law, the American Data Privacy and Protection Act, which isn’t the first piece of privacy legislation introduced in Congress. It is, however, the first to advance out of committee and has bipartisan support. Hopefully, the Act will become law and mitigate the impact that the patchwork of state laws could have on consumers and businesses. What can we expect in the next year from data regulations?
While the global rise in data privacy regulation will increase, companies will likely continue to dedicate additional attention and resources to the protection of personal data for commercial reasons as well. Data privacy regulations and the growing number of data breaches have caused consumers to become more aware of the safety and security of their data. They will continue to exercise their “right to know” who has access to their personal information and to restrict the processing of the information companies have collected about them. As a result, data subject requests and data related complaints will most certainly increase.