The passage of the General Data Privacy Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) signaled rapid changes to the world of data privacy law. Both the GDPR and CCPA—not to mention the 16 additional privacy laws currently under consideration in states across the nation—speak to a larger shift in the public’s awareness around data privacy. Consumers are demanding more control over their personal data, and companies must make ongoing compliance a top priority.
As AbacusNext’s Global Product Marketing Director, Tomas Suros, explains in Data Privacy: Building Compliant and Adaptable Systems, a true compliance strategy means more than playing catch-up. Companies must take a flexible, holistic approach to data privacy that allows them to adapt to an ever-changing legal landscape.
“By doing so,” says Suros, “companies will be well positioned to create systems that customers trust, employees understand, and auditors respect.”
These key focus areas will help your firm develop a comprehensive approach to data privacy:
Know the laws
GDPR and CCPA give consumers more ownership of their valuable data, with a focus on these specific rights:
- Right to Know - Under both the GDPR and the CCPA, individuals have the right to know exactly what data companies have collected about them, as well as why it’s collected and anyone with whom it will be shared or sold. Companies must have clearly stated privacy policies that explicitly outline what data is being collected and for what purpose.
- Right to Opt Out - GDPR offers consumers the right to restrict the processing of personal data, and CCPA offers a specific ‘Opt Out’ on the sale of their data.
- Data Portability- GDPR specifically requires that organizations have the ability to provide a consumer’s data to him or her upon request, or to a second data controller. The CCPA does not enumerate an explicit right to data portability, but on request, a consumer has the right to receive their information delivered by mail or electronically. If delivered electronically, information must be portable and in a readily useable format.
- Right to be Forgotten / Right to Deletion- Both GDPR and CCPA require organizations to delete personal information upon consumer request, or when that data is no longer needed to conduct business.
Use data mapping to understand your data
GDPR and CCPA require you to have a process for properly handling data throughout its lifecycle, so it’s important to have a 360-degree view of all of your data: what you have, where it is, and how it’s stored. Data mapping is the best way to standardize your data across all your global data sources and know who is using your data, how, and why, and if a piece of data was moved or destroyed. With data mapping, you’ll always know exactly what you have and where it is.
Control who can access personal data
The GDPR and other regulations require companies to maintain clear records of their data processing activities, including who had access to personal data, who was involved in the processing of that data, and what the intent of the processing was. Therefore, it’s important not only to know who can access your data, but to also restrict that access to only those employees responsible for data processing and upkeep.
Establish data maintenance procedures
It’s important to implement data maintenance procedures broad enough to comply with future privacy regulations, not just those already in effect. Your procedure should have the following elements:
- Clearly defined roles for data handling and management, including a Data Protection Officer and larger, cross-functional teams responsible for establishing organizational policies for data protection.
- Regular auditing of third-party partners and vendors who might have access to your data and ensure that their procedures are also in compliance.
- Regular review and revision of the notices on your website that tell customers how, when, and why their data is being collected, their rights to opt out or have their data deleted, and how long you plan to keep the data.
Make security part of your business plan
Although current and potential privacy laws overlap, they can vary slightly. So it’s wise to make data privacy part of your overall business plan– what the GDPR refers to as data protection by design and default.
Incorporating top-notch data security measures is the best way to protect your organization’s business data while at the same time protecting consumer data as required by law. Data should always be encrypted, stored in the same way, and archived or deleted according to your established procedures. Your company should constantly monitor for malware and other cybersecurity threats, and all apps, software, and systems should be regularly updated to eliminate unnecessary security risks. Private cloud hosting is one effective way to ensure encryption and the ability to monitor data handling at all times.
Train employees thoroughly and often
Employees are your first line of defense in protecting personal data. In most companies, employees in sales, marketing, customer support, accounting and other departments have contact with consumers and their data. An effective training program can include data privacy law education, internal data protection policies and processes, and cybersecurity awareness and incident response planning.