We’ve said it many times before: the global privacy landscape is complex. In the US, we’ve seen Virginia, Colorado, and California all enact comprehensive consumer privacy laws. These laws have some similarities and many differences. A federal privacy act is also looking more and more likely. And then there are the global laws. You’ve likely heard of the GDPR in Europe, but there are more than 80 countries with privacy laws in place.
So, it’s unsurprising that we’ve had so many founders and owners asking us how to respond to the complex patchwork of privacy laws. We’ve put together 5 tips for businesses that will help you generally with navigating privacy law and compliance – but we do want to say that this isn’t a substitute for tailored advice. If your business is subject to privacy laws anywhere in the world, you should find an attorney to help. The costs of noncompliance are high, so it will be money well spent.
Okay – let’s dive into this week’s tips on navigating privacy law:
Tip 1: Get a grasp on the data you handle – and whether it is “sensitive” or “special” data.
As more jurisdictions enact privacy laws, we’re seeing a trend in those laws that imposes extra obligations on companies when they collect particular types of information considered to carry heightened risks. This includes data relating to children, racial or ethnic origin, sexual orientation or financial information, such as credit card details. For instance,
Virginia’s privacy legislation, the CDPA, includes an affirmative consent or opt-in requirement in order to process sensitive personal data. In some contexts, the California privacy laws require businesses that collect or share sensitive personal information to provide certain disclosures and enable consumers to set limitations on the uses of sensitive personal information.
Tip 2: Use privacy impact assessments (PIAs) as a business tool.
The GDPR and CDPA both require the use of privacy risk assessments in certain circumstances, but it is good practice to simply undertake a PIA whenever your company introduces or changes data handling practices.
A PIA is a tool your business can use to assess the impact a new or amended project will have on the individuals whose data are used in the business activities. PIAs are used to identify which personal data are being collected and how it is used, stored, accessed, and shared; as well as the likely impact of that use. With this information to hand, you are in a better place to make strategic decisions and mitigate privacy risk. A PIA can also help identify opportunities for improved information management and operational data handling efficiencies.
Tip 3: Put and keep appropriate contractual protections in place with your vendors and service providers.
Like the European Union’s General Data Protection Regulation (GDPR), the CDPA requires that a data processing agreement be in place before any data can be shared with a vendor or service provider who will have access to your data. A number of very specific terms must be included in this agreement. Review your relationships with outside parties and be sure that you have agreements in place where you need them.
Tip 4: Implement data minimization practices.
Data minimization is a risk management strategy that helps organizations reduce the risk associated with collecting, storing, sharing, and transferring data. It suggests that businesses should limit data collection to only what is needed to achieve the business objectives.
From a compliance perspective, this makes sense. It prevents the overcollection of data by companies and reduces the risk of exposure, loss, or misuse of personal and sensitive data. This is particularly important to reduce the negative impact and costs in the event of a data security incident. It also makes sense from a business perspective, as many companies are collecting more data than they can effectively use in conducting their businesses. By limiting the amount of personal data you collect, you are forced to consider what your business objectives are, how you can achieve them, and what data you actually need. This prevents the risk of data saturation causing inefficiencies and unnecessarily increasing risk to the business.
Tip 5: Ensure you have adequate cybersecurity measures in place.
The privacy of your data subjects should be protected by robust technical mechanisms throughout its entire lifecycle. Ultimately, it should be securely destroyed. Cybersecurity is an essential element of this, but your staff represent your company’s largest privacy risk. You should develop ‘human error resistant’ privacy practices wherever possible, including reliance on access control measures, two-factor authentication, and regular staff training.
Common mistakes we see in this sphere are:
- Assuming your company won’t be targeted because you’re too small, too new, or not profitable yet. Hackers do target small companies, it’s just that those hacks don’t make the news so they’re less visible.
- Making assumptions about staff and their cyber savviness. Just because your team member is young, an expert in the Microsoft or Google suite, experienced with different email providers, or any combination of the above, does not mean they don’t pose any risk. They may still fall victim to malicious actors doing social engineering or phishing. Education really is key as is executive buy-in to support ongoing training efforts.
- Treating cybersecurity as an afterthought. By embedding cybersecurity considerations into your operations, you are given an opportunity to better your processes, upskill your staff, and build trust with your customers. Treating it as an afterthought, on the other hand, is more akin to sticking a bandaid over your cybersecurity infrastructure. Data security breaches are a material risk to a business’ reputation.
CGL’s Privacy Attorneys are Here to Help!
We hope these 5 tips have given you some clarity about this extremely complex and dynamic area of law. As always, we would love to hear from you! Let us know what you’re struggling with when it comes to navigating privacy law or cybersecurity – and what you’re doing to overcome it. You can comment on the social media post sharing this content or email us at firstname.lastname@example.org
If you have any topics you’d like us to cover, tell us. We’re here to help!
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.