The protection of data by corporate entities has become an issue of increasing focus for both consumers and corporations around the globe over the past 15 years. Online user activity and behavior has evolved with technological advancements and capabilities. Public interest in how user data is collected and shared has grown more prevalent, casting a light on common corporate practice and helping to spur the creation and passage of data privacy legislation worldwide.
General Data Privacy Regulation (GDPR)
In order to understand how data privacy regulations will affect the U.S, we must first look at the European Union’s policy. On May 25, 2018, the European Union implemented the General Data Privacy Regulation (GDPR). The GDPR lays out seven principles of data protection that must be implemented for organizations that deal with the personal data of those within the member states of the EU. Each of the seven principles of data protection focuses around three key facets of data control and usage:
- Transparency in all administrative and or corporate interactions with data
- Minimization of data’s usage and dissemination
- Strength and continuity of security at all points in the data procurement and use process.
Underpinning each of these facets is the seventh principle of data protection – accountability. The GDPR requires that entities which collect and use user data must be held accountable for their collection and use practices, and must also hold themselves accountable as parties who engage in data collection to uphold all seven principles as part of their business functions. To comply with the GDPR, any entity that wishes to collect and use data must conduct a GDPR assessment to what personal user data is being controlled, where it is located throughout each step of every interaction that occurs between user and the entity’s product, and how that data is secured.
The GDPR also lays out eight privacy rights that must be facilitated by any entity that interacts with or uses consumer data. Each of the eight privacy rights are protected by the seven principles of data protection, and all are again supported by the overarching principle of accountability on the part of entities which interact with user data in any capacity. With the passage of this fundamental legislation, the European Union established for themselves how data privacy and protection would be not only guarded, but also facilitated. Overall, greater clarity has been brought to the concept of data privacy and the importance of this in the mind of the average user.
Data Privacy in the United States
The prevalent and ever-expanding user demand for transparency from entities interacting with data has since come to pass in the United States in the form of the landmark California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. The CCPA is founded upon and grounded in the core principles of the GDPR, with some notable US provisions, including an incorporation for medical data already covered under the protection of Health Portability and Accountability Act (1996), and financial data covered by the Gramm-Leach-Bliley Act (1999). It is important to recognize that the scope of the California statute’s impact extends far beyond state borders, as the law likely serves as a harbinger of future challenges nationwide with several other states considering similar privacy measures. At the federal level, data privacy is an often discussed and debated issue, though we are likely years away from legislation being passed.
Data Privacy in Pennsylvania
The recent passage of the CCPA has prompted the drafting of similar legislation in Pennsylvania that would give consumers greater control over the collection and sale of personal data. Currently in Pennsylvania, user privacy interests are protected under the Breach of Personal Information Notification Act passed in 2005. This law covers any unauthorized data breach of an entity with a base of over 1,000 users who are residents of the Commonwealth of Pennsylvania, specifically and “materially compromises” security or confidentiality, but does not include the breach of encrypted data.
The proposed legislation, House Bill 1049, is still pending before the Committee on Consumer Affairs but would place restrictions on the sale of consumer data without consent and enable consumers to opt out of data collection entirely in some instances for 12 months. Notable features of the proposed legislation include the right to request deletion of data for all purchasing companies, as well as the right to sue companies that have had a non-encrypted or non-redacted data breach for damages of up to $750 per individual. The implications of the pending bill for Pennsylvania businesses are to take greater measures to protect data and have greater transparency regarding what data is collected, where it is stored, and who has access to it.
Data Privacy Laws and Compliance
Fiscal penalties loom large for entities that do not provide sufficient protections of user data and privacy. While certain pieces of legislation like the CCPA extend beyond data breaches to also cover how data is used, current data breach laws cover only unauthorized access and acquisition of user data.
For any entity with employees working in the EU, or any interactions with or storage of user data taking place in the EU, those entities can expect to be under the jurisdiction of the GDPR and any privacy laws in the states wherein they conduct business in any form. With overlaps in coverage undoubtedly occurring, the need for top-flight security and privacy protection of data is paramount.
Data Privacy Protection
In order to comply with current and assuredly forthcoming regulations around user data protection and privacy, the first step that any business should take is to formulate an executable and sustainable strategy for evaluating data breach risk and ensuring legal interactions with user data in-house and externally.
This process begins by appointing a dedicated company officer who will manage security and compliance for all interactions with user data, company-wide. Note that this position differs from that of a compliance officer in its scope, for it pertains exclusively to data, while a compliance officer oversees much broader sets of laws and guidelines, including those that are inter-company.
While this is a solid measure, it is not the comprehensive solution that businesses need. In order to fully ensure your business stays healthy, protected and compliant there is no better option than contracting a third-party auditor or a managed service provider like PGH Networks. These service providers can help catch any lapses in compliance or possible issues that could lead to a costly data breach, alongside myriad other invaluable cybersecurity services. There is no substitute for the peace of mind that trusted professionals in this arena can offer business owners so they can rest assured knowing they are not assuming unnecessary risks and focus on what makes their organizations successful.