“Data Privacy”, not just a buzzword anymore.
Just a few short years ago many organizations considered “Data Privacy” more of a trendy buzzword then an actual risk, but new privacy legislation has completely changed the discussion. Led primarily by privacy activists, consumers are becoming more aware of how their data is tracked, sold, and used across the internet. This revelation has not only soured public perception of tech and social giants, but has caused a series of domestic and international regulatory bodies to act by creating new legislation, intended to give consumers more transparency and control over their data.
Awareness - Top 5 Data Privacy Laws to look out for:
1. GDPR in Europe
GDPR stands for the General Data Protection Regulation, a set of European rules regulating online data privacy. Implemented on May 25, 2018, the regulation enforces security and privacy for every organization that collects data from users based in Europe.
GDPR (Source: Traceparts)
Undeniably, it is one of the most important data privacy laws thus far and a convoluted outcome of a four-year deliberative journey. In fact, many consider GDPR to be the data privacy law that started it all, particularly by holding businesses accountable for hacking incidents and data breaches resulting from inadequate security controls and mishandling of third-party services and applications. The staggeringly complex law has been translated using 26 different languages. Even before we could know what GDPR was, companies swamped our inboxes with emails and displayed cookie banners on websites requesting user consent.
2. CCPA in the US
The California Consumer Protection Act (CCPA) gives consumers more control over the personal information that businesses collect about them. CCPA regulations guide the process of implementing the CCPA law, which many consider a landmark regulation that secures new privacy rights for California consumers. While there are many overlaps between CCPA and GDPR, there are a few additional considerations:
CCPA (Source: Grazitti)
With CCPA, consumers have the right to know about the personal data a business collects about them and how it is used and shared. Data owners also have the right to delete personal information collected from them, though with some exceptions. What’s more, with CCPA law, California consumers have the right to opt out of the sale of their personal information and the right to non-discrimination for exercising their CCPA rights.
3. PIPL in China
It is worth mentioning that China’s data protection laws are in a development and change phase. Principally, the Draft Personal Information Protection Law (PIPL), released on October 21, 2020, will become China’s first comprehensive law dedicated to personal data protection. In addition, PIPL potentially combines and expands on personal data provisions in existing but scattered laws and regulations in the country. The main principles for processing personal information in PIPL require businesses to process information in a lawful, fair manner and in good faith. Besides that, information processing should feature specific and practical purposes and should be limited to the minimum for accomplishing data processing purposes. Furthermore, the processing of personal information should follow the principles of openness and transparency, and the rules for personal information processing should be published.
4. LGPD in Brazil
The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais (LGPD)) that entered into effect in August 2020 provides for the processing of personal data, including by digital means, by a natural person, or a legal entity of either public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
In many ways, LGPD is modeled after the EU’s GDPR. The law is crucial for websites, services, and organizations that collect and process personal information from individuals inside Brazil’s territories. Like the Indian PDP, a significant population (more than 140 million internet users) backs the LGPD law. Other than that, the Brazilian law provides an overarching regulatory framework intended to replace the fractured legal landscape containing more than 40 norms at the federal level, dealing directly or indirectly with the protection of privacy and personal data in a sector-based system.
5. PDP in India
The Privacy and Data Protection (PDP) bill was enforced in 2009 in India. Unquestionably, the country’s significant population size means that their data privacy laws might influence many businesses within and across borders. Besides that, India’s authority in the tech world potentially enables the country’s data privacy law to reshape global policy, like in the case of European GDPR.
However, the biggest concern with PDP is that it exempts the government from the data privacy regulations. That means that government agencies can obtain data from subjects whenever it thinks it’s necessary, which remains a crucial dispute in the country.
Another key takeaway from PDP, which makes it unique, is that the regulation also incorporates non-personal data activities. In this case, the regulator can request an organization to share any non-personal data.
Staying Compliant – Key Considerations
1. Data Privacy is Different from Data Security
Unlike data security that focuses on measures an organization takes to prevent bad actors from accessing systems and information, data privacy deals with compliance with data protection regulations and laws. The concept focuses on how a business collects, shares, archives, and deletes personal data. By and large, data privacy involves the rights of individuals and the purpose of data collection and processing.
2. Data is an Asset Worthy of Protection
In an age of data economy, real company value lies in the collected customer’s information. Meanwhile, data privacy laws give individuals rights over their data. Companies can keep customer trust by demonstrating transparency and openly communicating what data they collect and for what purposes.
3. Consequences of Noncompliance
With comprehensive and dynamic data protection law, it is becoming incredibly complex for companies to navigate through necessary regulations without proper planning, resources, and expertise. At the same time, failure to comply with applicable data privacy laws will result in fines and lawsuits while putting the company’s reputation and customer loyalty to the test. For instance, GDPR allows EU data protection authorities to issue fines of up to $24.1 million or 4 percent of annual global turnover (whichever is higher) for noncompliance. The French data protection authority fined Google roughly $57 million for failing to acknowledge how it processes its users’ information.
4. The Power of Privacy Policies
It is essential to have a privacy policy explaining to users how a company’s website or service collects, uses, shares, and secures information. Over and above that, businesses should provide a way for data subjects to consent or decline to the collection of their personal information by vendors. While organizations voluntarily collect much of the information when users sign up for newsletters, complete forms, or subscribe to mailing lists, it is important to disclose additional data collected from third parties and use cookies.
5. Appoint a Data Protection Officer (DPO)
Companies involved in regular and systematic monitoring of data subjects should appoint a data protection officer responsible for data protection compliance and the expertise, resources, support, and authority to meet that objective effectively.
6. New Developments and Impacts on Data Protection Laws
Around the world, the data privacy landscape keeps shifting, which further complicates cross-border data transfers and introduces novel privacy issues. For instance, the COVID-19 pandemic spurred an unanticipated and unwelcome change in the way businesses and governments collect medical-related data. Ostensibly, requirements such as health checks before employees report to work or people travel across borders are fraught with privacy issues, including how to notify customers and how long to store the data. Apart from the recent COVID-19 pandemic, the Brexit Transition Period will affect GDPR compliance processes. With the UK becoming a ‘third country,’ the European Commission needs to make an adequacy determination on the protection level afforded under the country’s law. Expectedly, there will be additional Standard Contractual Clauses between the European Economic Area (EEA) and the UK to ensure lawful data transfers.
Want more info?
Please fill out our contact form to see how we can help.