The Ground is Shifting! The Changing Privacy and Regulatory Landscape
The General Data Protection Regulation (GDPR) enacted in 2018 in the EU changed the face of Data Privacy not only in Europe but the world. This sparked a paradigm shift in how nations globally process, transmit and store personal information. The social media explosion experienced across the world provided people a vehicle to share and post information about themselves and their lives. This was great for these platforms as it created endless free content, but laid the groundwork for a great reckoning starting with the GDPR and domestically with the enacting of the California Consumer Privacy Act (CCPA).
The Data Privacy principles engrained in several regulatory measures governing users personal information provided data subject rights and recourse for information being used outside of how it was collected, stored longer than needed, and being sold to marketers. The client/consumer “bill of rights” concept has put the data subject back in control of their personal information. Organizations have been hoarding consumer data for decades and are now being forced to shift their policies, procedures and culture have been a tectonic shift and the shockwaves are massive. Most organizations are not positioned to handle the subsequent requests and tasks associated with these laws and with many states jumping on the GDPR/CCPA principles, it is straining budgets and shining a light on the immaturity in his space.
“Organizations have been hoarding consumer data for decades and are now being forced to shift their policies, procedures and culture have been a tectonic shift and the shockwaves are massive”
Another major change is the move away from Personal Identifiable Information (PII) to Personal Information (PI). The importance of this shift in thinking cannot be understated, and its tentacles touch every aspect of the privacy and public sectors. The midshaft to the realization that every data point about the “natural” person needs to be protected to its highest levels is earthshattering. We have been told for years that if the data was not your social security number, driver's license, or credit card number you have nothing to worry about. This is no longer true in this new millennium, and your email address if released could pose harm to a person, and it must be protected.
Finally, what is the recourse of states if you decide to disregard these regulatory controls? Well…, the punitive damages can be severe, but the potential private right of action could put your organization in a never-ending hamster wheel of litigious activity. The ultimate costs of the fines, legal discovery, and remediated could push into the millions. If you think that sounds bad, it gets worse! Many states are using these new laws as potential revenue generators, and with the financial impact of Covid-19 being felt in every sector, states are looking for ways to fill those budget gaps. What better way than to do it under the guise of protecting people's data.
How do we safeguard ourselves and place our organization in a defendable position when the regulators come knocking? I have a few suggestions which can assist you in this journey.
Remember, there is no perfect approach to solve this problem, but these steps will position you and your organization to respond to an inquiry:
• Encrypt data in transit/at-rest
• Mask/obfuscate PI in unsecured development regions.
• Have a process and infrastructure to respond to data subject access requests
• Delete data after its usefulness has ended, and do it automatically
• Have evidence of your controls. Trust but verify! Doing these things along with other proven data security techniques should provide your organization with a defendable approach in the event of a regulatory matter.