New laws are taking effect across the globe to regulate the collection, use, retention, disclosure and disposal of personal information. At the same time, the rate of cyber attacks, data breaches and unauthorised use of personal data is growing exponentially.
In the current environment, it is more important than ever, particularly for those organisations handling financial data, health information and other personally identifiable information, to understand the rights and obligations of individuals and organisations with respect to personal information.
Our latest article provides an overview of some of the new data privacy laws, rules and regulations that are, or soon will be, in effect, outlines cyber security and data protection best practices and compliance programmes to help organisations comply with the evolving new data privacy requirements, and touches on the role of new technologies in mitigating risks and supporting compliance.
The exponential evolving data privacy regulatory space
The European Union’s enforcement of the Global Data Protection Regulation (GDPR) commenced way back on 25 May 2018, and came with sweeping changes in the privacy and data security policies for the vast majority of companies operating, not only in the EU, but across the globe.
The provisions of the GDPR that are important for all companies to take note of include the requirement for explicit and informed consent for collecting personal data and mechanisms to withdraw such consent, breach notifications, the right to access all data that a company has collected, and the right to be forgotten through the erasure and cessation of the dissemination of data. Penalties for breach of the GDPR are steep of course – up to 4 percent of annual global turnover or €20m, whichever is greater.
The regulatory environment in the US comprises a somewhat convoluted, patchwork system of federal and state laws governing privacy and data security concerns that is continuing to evolve to try to address the rash of data breaches and unauthorised use of personal data that are occurring with ever-increasing frequency.
All 50 states, as well as the District of Columbia, Puerto Rico and the US Virgin Islands enacted laws requiring notification of security breaches involving personal information. Companies can face both civil and criminal penalties for a data breach of sensitive information, and some state and federal laws provide the right for individual citizens to file class action lawsuits for privacy violations. Massive class action lawsuits, like the 2013 Target data breach litigation and the currently pending 2017 Equifax data breach litigation, highlight the significant risks that companies face in the wake of a cyber security attack or as a consequence of either not having best practices and compliance programmes in place or simply not following them.
Importance of cyber security and data protection best practices.
The stakes have never been greater than they are right now with respect to the collection, use, retention, disclosure and disposal of personal information. With the present regulatory framework and knowledge of where it is heading, companies can expect to continue to face rising costs and escalating risks associated with their privacy and data security practices.
A number of resources are available that can provide guidance and assistance with addressing privacy and data security practices, as well as to ensure that the practices and programmes implemented are compliant with relevant laws and regulations. The EU and some US Federal agencies, including the Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST), have been promulgating updated guidelines and recommendations for privacy and data security best practices in a variety of industries, including some of the newer Internet of Things and peer platform (sharing economy) marketplaces. Additionally, several industry groups have adopted self-regulatory programmes and rules, including certification programmes, to which a company can voluntarily abide.
For companies with a public-facing website, website privacy policies are a must. Additionally, a written incident response plan is critical for establishing protocols for initiating a response team, assessing data breach activity, containing the data breach, and providing guidelines for including other parties, such as law enforcement and officials that require notification under data breach laws. Further, a company must continue to audit and maintain certification as necessary to ensure that their policies and procedures are enforced and remain current. A variety of enterprise privacy management software and compliance solutions may be used internally to help companies audit their systems.
Privacy and data security must form part of the conversation when utilising new technology
While it may be easier said than done to implement new policies and best practices, companies are faced with the additional challenges of evaluating and deploying new technologies that simultaneously may both hinder and help with compliance in view of the new privacy and data security regulations. For example, block-chain technology offers significant advantages for a wide variety of applications from a data security perspective, offering the ability to record transactions in a decentralised and immutable fashion. However, these same technological principles may raise complex issues when looking at compliance with new privacy regulations. For example, in connection with the “right to be forgotten” under the GDPR, how is a subject’s personal information to be erased from an immutable and fully-distributed block-chain? A variety of solutions have been proposed to provide for greater control and management of information with block-chain, including anonymous transactions and voting systems, secret contracts and blind auctions, but they will have to be evaluated in view of the evolving regulatory framework.
Artificial intelligence (AI), and specifically machine learning (ML) techniques, are now widely employed to enable computers to learn and adapt to new input. Such AI technology can be used in cyber security systems to provide automated processes for the identification of new threats and the implementation of technology controls and protection. On the flip-side, hackers have also started to weaponise AI, creating programmes that can study systems, evaluate vulnerabilities or even create persuasive phishing schemes based on the behavior of social networks. AI applications may also raise privacy issues, especially given the large volume of data required to build a model and the often ‘black box’ lack of transparency behind the logic used by AI agents to arrive at a decision about a person.
New outward-facing tools and platforms have also been developed in order to allow users to control how their data is being used. For example, Facebook recently released a set of privacy tools, including a unified privacy dashboard, and has announced the launch of a new clear history tool. Such tools cannot be overlooked, as they may be essential for compliance with the new privacy regulations, such as data portability, right to be forgotten, and withdrawal of consent of the collection of personal data.
Recognition of the new and evolving international privacy and security regulations is a requirement, especially in view of the threat of increasing liability and risk with statutory penalties and class action lawsuits. Implementing a compliance programme with a set of best practices for privacy and data security will surely help mitigate these risks, but it is a continuing process, especially as companies face new hurdles when rolling out new systems and technologies.
This is particularly true where newer technologies, such as block-chain and AI, are incorporated into systems in a manner that simultaneously offers important contributions to security and privacy while exposing new vulnerabilities and concerns. Thus, companies may be well-served by a privacy by design approach that promotes privacy and data security compliance from the start in order to mitigate risk down the road.
Find out More
How is compliance faring in 2019 and what is in store for 2020
2019 has been a complex year for compliance. Regulations are continuing to evolve and meeting those compliance requirements are proving to be a challenge. However, companies that are dealing effectively with data compliance are seeing benefits in their day-to-day business operations. They are avoiding costly fines thus keeping negative brand damaging headlines at bay. Here we discuss the three biggest compliance trends in 2019/2020.
Data Privacy Will Prioritise Consumers and the Organisation
While data protection and data privacy are popular subjects nowadays, they have only become real factors in the last few years. And within those few years, the goal of data privacy has changed significantly. Originally, the priority was protecting investors and executives, since they could be on the hook if one of their investments was found to have mishandled financial or consumer data. But as consumers have become increasingly knowledgeable and concerned about how their data is collected and used, they have started to become a greater concern.
Joined at the hip with this is the rise of data privacy legislation and frameworks. Between international regulations like GDPR, sector- or industry-specific compliance frameworks like NIST or HIPAA and region wide legislation like the Consumer Privacy Act introduced by California in 2018 (becoming law in January 2020), most organisations processing consumer data have to comply with some type of regulation whilst global organisations have to meet a myriad of data privacy acts.
So why are consumer knowledge and regulations impacting data privacy prioritisation so strongly? Reputation and monetary hits. I have yet to find a company who wants to announce to the world that it just had a data breach and allowed all its customer data to be exposed to hackers. Consumers will lose trust in the organization and may even leave it for a competitor. In addition to the brand damage, it also means a loss in profit and a distraction for the organization. And with the potential fees and settlements the company may have to pay as a result of the breach, that’s even more money lost which could have been spent enhancing the brand. Even a small breach of consumer data could take years to recover from.
Therefore, organisations must take consumer and organisational data privacy more seriously than ever before. The best ones will do two key things:
Implement new initiatives to ensure consumer data is considered during the business development process.
There is a pressure here; there is always the possibility that new data privacy regulations overreach to the point where companies miss out on new growth opportunities due to their efforts at compliance. But when data privacy is done right, it is possible to protect consumer data while still growing the business.
Train internal end users around data privacy.
Whether those employees are in support, marketing, sales or engineering (amongst other historically non-customer-facing departments), these training courses are designed to help them understand exactly what they can and cannot do with customer data and how to avoid a catastrophic incident. Employees are a company’s first line of defence, and if they aren’t familiar with basic security best practices, hackers are sure to infiltrate the organization. Large numbers of breaches post 25th May 2018 were caused by internal mistakes from employees.
GDPR Will Remain Enigmatic
The initial surge of attention and scaremongering had everyone in panic mode over GDPR. There were so many unknowns about the new regulation, and no one wanted to be caught off guard. This helped raise the profile of compliance teams, as every organization put its best foot forward to make sure it was doing what it needed to do. In a sense, GDPR was the catalyst that the compliance world needed.
Since GDPR became law, that worldwide panic has steadily decreased in the UK and EU whilst in other regions of the world countries have been enacting their own Data Privacy laws. And while, on the one hand, it’s nice that organisations don’t feel as alarmed as they used to, on the other hand, the decrease is likely because of the ambiguity that still surrounds GDPR declarations. Just over 18 months after the regulation went into effect, organisations are still confused about its practical application, attestation practices and whether they’re compliant. This confusion likely persists because we have only recently seen the major threat of GDPR truly come to fruition with the devastating fines that were predicted widely before the act came into law.
The C-Suite Will Form Alliances and Work Together for Compliance
CISOs, CIOs and even CEOs are feeling the heat in the new regulatory environment, and this is getting everyone on the same page. C-suite executives are finally realising that compliance is not a part-time job that can be allocated to an employee as an extra task and that there must be a solid consistent investment in compliance to satisfy requirements and gain value from it.
An example of this is, the New York State Department of Financial Services introducing several new cybersecurity regulations that applied to financial companies doing business in New York. One of the regulations states that these companies must appoint a CISO. Furthermore, this officer must report directly to the board of directors and issue an annual report highlighting the company’s cybersecurity compliance and identifying risks for potential breaches.
Another positive is that all the various frameworks and regulations have vastly increased collaboration among organisations’ teams. All things considered; this is good news for most organisations. The effort to achieve compliance builds cross-organisational alliances. This trend is especially prevalent between CIO and CISO departments. Historically, these two have had differing goals, but regulations like GDPR are forcing these departments to become interdependent.
This is shaping up to be a period for compliance. More conversations about compliance are taking place inside and outside organisations — and more companies are reaching out to technology vendors to make compliance easier on them. Compliance may not be the coolest tech topic in 2019 / 2020, but at the rate fresh ideas are emerging and innovation is taking place, compliance will certainly have a bright future and play a prominent role in business for many years to come.