California, here we come: How companies need to prepare for new digital privacy laws
"Deepak Gupta, the cofounder & CTO of LoginRadius, lays out the steps that businesses need to take to avoid getting fined via GDPR and California’s privacy law, which goes into effect in January 2020."
With the increasing frequency of data breaches and the headlines dominated by user privacy scandals, rising consumer outrage has compelled governments around the world to take steps to protect their citizens from negligent practices by companies within and outside of their borders. But have the tough new rules been effective? And is your company prepared for the complicated and potentially expensive changes that have to be made? Now the task list of every online CEO includes ensuring their organization stays abreast of and compliant with a multitude of emerging global data privacy regulations and ensuring they meet these regulations. The consequences of failing to do so could include crippling fines, prolonged entanglement with the justice systems of faraway countries, and the wrath of angry consumers.
It’s been almost a year and a half since the European Union’s GDPRwent into effect. Even though the legislation was publicized for two years in advance of its launch, many companies and organizations were still caught flat-footed. In just one example, British Airways is currently facing a $230 million fine over data breaches, enforced under the new rules.
Hundreds of thousands of EU residents have reported companies for noncompliance with GDPR, according to an enforcement trackermaintained by a European law firm. As a result of these complaints, hundreds of businesses have been fined. You might be tempted to assume that GDPR is all talk and not much action—until you learn that these cases are heard through the various European jurisdictions operating under GDPR and are subject to the same delays and trial lengths as civil litigation and criminal enforcement. The message from the GDPR policy team is simply: Fasten your seatbelts! There’s more to come.
On Jan. 1, 2020, California will roll out its own version of the GDPR, entitled the California Consumer Privacy Act (CCPA). Any global business that exceeds $25 million in revenue online, which serves consumers in California, will need to comply with CCPA. It’s the first state to bring legislation to the table but will soon be joined by a long list of others rolling out a consumer privacy law—with reports that federal privacy legislation is also in the works. With other countries around the world in Asia and Latin America joining the fray, it’s clear that practically every jurisdiction will have something to say about how their citizens’ data is handled—with staggering consequences for failure.
For these reasons, we can expect to see more and more demand for privacy- and security-oriented roles like chief privacy officers, data protection officers, and chief information security officers whose sole jobs are to be aware of new and pending legislation, and to be planning changes to systems and services to ensure that their organizations remain compliant
For any business that sells online, the best advice is that now is the time to start putting process, people, and technology in place so that your organization is prepared to rapidly respond to any new legislation that may affect your market presence:
As anyone caught speeding through a school zone has likely been told, ignorance of the law is no excuse. If you sell online, your obligation is to keep abreast of all regulations affecting your users by state, country, or other jurisdictions and to understand what their requirements are. Understanding that many of these apply extraterritorially is crucial to ascertaining your liability
Responding nimbly to emerging requirements should be valued by business leaders. It’s important to establish practices and platforms where enforcing disclosure functionality and data storage facilities are simple for businesses and minimally bothersome for users.
CONSIDER YOUR PARTNERSHIPS
Even if your organization maintains customer data in a high-security environment, one area of vulnerability is third parties. When acquiring third-party data, it is crucial to ensure that your partners are compliant—or you’re at risk of being fined for buying or handling customer data from a noncompliant organization.
RIGOROUSLY AUDIT YOUR PRACTICES
You have to ensure that key members of your organization know the following information: how and where user data is stored, who has access to it within and outside of your organization, exactly what type of data is stored and accessed, how long it is retained and for what purpose, and which geographical jurisdictions govern which aspects of user data. Do a thorough examination of your organization’s encryption strategies (desktop and mobile) and into the technical security of services you manage.
PLAN FOR DELETIONS, DISCLOSURES, CONFIRMATIONS, AND REQUESTS
Many jurisdictions will seek to enable customers to request copies of personal data managed by the services they use, or to allow for simple or one-click deletion policies that allow consumers to easily revoke all personally identifiable information from an online service. Furthermore, legislation is quite prescriptive about how an organization discloses its handling practises for personal information, or requires confirmation of opt-in for the use of personal data in offering a service. These standards generally exceed the practices of most online services today.
Collecting customer data while providing any sort of a service is practically inevitable in our digital era. Though global data privacy regulations have only recently gone into effect, ultimately they will impact every business, including those that don’t even offer online services. Now is the time for governments and businesses to accept the challenge of regulators and consumers to do better—and be better—at how they handle and secure personally identifiable information. Getting out front of this hot-button issue and setting a strategy to navigate the choppy waters of privacy legislation certainly beats the alternative: angry customers and crippling fines, and a lot of lost sleep in the interim.
Originally published at FastCompany