The biggest news in GDPR compliance in its first year was the €50 million fine imposed on Google by the Commission nationale de l'informatique et des libertés (CNIL) due to a failure of transparency and the company’s vague consent agreements. At the same time, data protection authorities in the Netherlands have unveiled a GDPR fining policy that establishes a framework for determining the amounts of fines according to categories of violations. All these actions point to the fact that governments are taking data privacy regulation enforcement seriously.
In the U.S., California is leading with the enactment of the California Consumer Privacy Act (CCPA), due to go into effect in January 2020. The law places restrictions on how businesses handle the personally identifiable information (PII) of consumers. PII is defined in the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Other states, such as Vermont, are also enacting regulations around the handling of PII, and there is every indication that more will follow.
The tide has turned decisively in large part due to high-profile cases where the protection of individuals’ data has been treated cavalierly or irresponsibly by the organizations that collect it. One only needs to utter the words “Cambridge Analytica” to understand why consumers are increasingly fed up and are demanding legislative remedies.
Every company that handles consumer data should be proactively anticipating these changes and actively planning how to address them. If a company already has protections in place, it should be asking, “What more can we do?” while the data is in transit and at rest, ensuring it can identify and track both structured and unstructured data and monitor changes when data is being migrated from one system to another.
The first step? Locate and identify all places where personal information is stored. This sounds fundamental, yet the lack of this knowledge is at the root of many of today’s largest data breaches. PII is lurking at all levels of the enterprise, and some of it resides on servers or in data lakes that are directly accessible from the internet (think Equifax). If an organization doesn’t know all the places where sensitive data resides, it immediately becomes vulnerable to the hackers and insiders who are working hard to find it.
Once data sources have been identified, leaders can begin making informed decisions about the levels of protection needed according to an objective evaluation and risk assessment. A recent study by the Ponemon Institute demonstrated that IT teams place a different value on organizational data than the departments that own it. The study emphasized that the perceived value of data has a significant impact on the safeguards put in place to protect it and that organizational leaders must establish a consistent framework for determining that value.
Adding to this challenge is that the definition of PII itself is evolving. Whereas most would agree that a Social Security number should be treated as highly sensitive, other data elements are not as clear. For example, the CCPA defines personal information quite broadly to include any data that could be associated with an individual, without explicitly stating which data points are considered personal. In the absence of specific guidelines, how can an organization defend itself against potential consumer suits around data privacy?
As regulatory bodies around the world strive for a common understanding of PII, organizations can and should put their own definitions in place according to the norms of the geographical regions in which they operate. Then, companies need to vigilantly and consistently adhere to those definitions with appropriate levels of protection, monitoring and training. At a minimum, this will demonstrate that an organization has proactively addressed data privacy concerns with policies and procedures. This could make a big difference in court compared to an organization that has nothing in place.
Consumers are also making important decisions around which organizations they’ll do business with based on factors that go beyond price or quality. Many consumers exhibit a preference for organizations that reflect their own values around social or environmental issues -- and data privacy considerations aren’t far behind.
It is clear is that data privacy regulations will become more prevalent, more encompassing and more punitive for those in violation. Organizations that don’t proactively address their treatment and handling of consumer data worldwide are asking for trouble down the road. Essential preparedness includes understanding where sensitive data is located and establishing the value of that data to the business, and then putting the protections, policies and procedures in place to reflect organizational and regulatory priorities. From this foundation, you’ll be far along the road to compliance when new regulations take effect.
> To read the original article on Forbes, click HERE.