How Do Organizations Support Data Protection Compliance?
Over the past several years, data protection compliance laws have expanded. Here at the top privacy laws to be aware of.
Top Privacy Laws
- California Consumer Privacy Act/California Privacy Rights Act (CPRA)
- Colorado Privacy Act
- Utah Consumer Privacy Act
- Virginia Consumer Data Privacy Act
- General Data Protection Regulation
- Brazilian General Data Protection Law
General Data Protection Regulation (GDPR) experienced changes in 2018 in the EU, and Brazilian General Data Protection Law (LGPD) and US state data privacy laws have continued to evolve. California Privacy Rights Act (CPRA or CCPA 2.0) expanded and clarified the California Consumer Privacy Act that was passed in 2018 in the US. CCPA went into effect in 2020, only to be amended in 2020 with planned CPRA enforcement of 2023.
While some laws have stronger language, provide more detail or nuances, each of these laws revolve around the main topics of consumer privacy, the protection of consumer personal information and the way businesses manage data. Furthermore, each law deals with specific consumer privacy rights.
Consumer Privacy Rights
- Rights to Know – what types of data companies are storing
- Right to be Informed – companies inform consumers when and why they are collecting data
- Right to Correct – update/correct information that is inaccurate
- Right to Delete – request that companies delete customer data
While there are currently geographic and business exemptions for some of these laws, there is no doubt that consumer privacy rights are full steam ahead. The International Association of Privacy Professionals ( IAAP) does a great job of highlighting privacy changes and has a nice US Privacy Law Tracker that aligns with laws status, consumer rights, and business obligations.
Data Protection Compliance FAQ: Where is My Data?
The dynamics fueling the privacy laws are identification, controlling, and managing, specifically consumers’ personal and sensitive data. If they have not already, here are some of the questions that companies should be asking themselves to support their efforts towards data protection compliance.
- Do we have a complete view of consumer data? Where are the risks?
- Where does the consumer data originate? Where is it stored? How long is it retained?
- Can we track data lineages from both internal systems to external systems?
- What happens when something goes wrong? What is the escalation process? Who needs to be notified?
All organizations spend a portion of their IT budget on security, under the guise that security brings privacy protection. However, without a structure for managing data, supporting the privacy “rights” compliance under the law can be challenging. Privacy and Security need to function together. There is a solution that standardizes core data privacy practices to build and support a compliance structure.
ISO/IEC 27701, published in 2019 aims to be that guidance and governance approach to support a Privacy Information Management System (PIMS) that standardizes core data privacy practices. This standard focuses on the control, management, and protection of data. ISO 27701 includes controls for Data Inventory, Data Lineage, Privacy Impact Assessments (PIA), Incident management, Third-party management, etc. ISO 27701 aligns with the ISO 27001 Information Security Management System (ISMS) and is a natural fit for companies that want to build structure into their privacy programs.