First, it was the passing of the European Union’s General Data Protection Regulation (GDPR), the toughest data privacy law in the world. A steady drumbeat of large-scale data breaches followed and hasn’t stopped to this day. It’s no surprise then, that data privacy is on the minds of security specialists everywhere.
The GDPR is a legal framework, which sets rules and guidelines designed to ensure EU citizens’ data privacy. Although the GDPR is structured around seven basic principles, three are especially important:
- Transparency. All data subjects have the right to be informed about why their personal data is collected and how it is processed.
- Legitimate purpose. Organizations must have a legitimate purpose for collecting data. They should minimize the amount of personal data required to perform business and government functions.
- Proportionality. Organizations should gather as little data as possible to fulfill a legitimate use and keep it no longer than necessary to serve the customer.
How are American organizations developing their own data privacy laws? Here’s a status report of U.S. data privacy trends.
State-Level Privacy Laws Keep Up Momentum
Interest in a national data privacy law has been around for years, but the COVID-19 pandemic was a major force in moving legislation forward. In addition to a spike in e-commerce sales, these pandemic-related issues have made data privacy more important:
- The rapid start of remote work environments.
- Student and child privacy during the lockdown.
- Information used by contact tracing technologies.
- Emergency health information sharing.
There’s one serious problem, though: Unlike the EU, the U.S. has no high-level (national) data privacy legislation. Without a national data privacy law, all the legislative action happens at the state level.
What’s the U.S. data privacy environment like?
Describing the state-level data privacy situation as “fluid” requires a boatload of understatement. That’s because keeping track of state-level data privacy laws is:
• Confusing. The regulatory landscape is more perplexing than it has ever been. The U.S. lacks a single, comprehensive data protection law. Instead, a jumble of hundreds of state and federal laws serve to protect the personal data of U.S inhabitants. Different states emphasize different data protection principles (such as transparency and legitimate purpose). And pioneering states such as California add to the confusion by updating previously approved laws.
• Complex. Practically all businesses depend on third-party service providers or vendors to operate efficiently. Now companies must pay attention to privacy in their supply chain to stay within state laws.
• Constantly changing. Some states such as California are already updating their pioneering legislation. The result: companies must keep track of California Consumer Privacy Act 2.0.
As of July 2021, three states (California, Colorado, and Virginia) have signed comprehensive consumer data privacy laws, while 33 states have legislation in different stages of passage. With the growing momentum towards regulation, passage of a national bill looked promising. Unfortunately, other political issues bogged it down in Congress, where there are no prospects of moving a bill forward for the foreseeable future.
Waiting for Congress: A Workable Plan B
National data privacy legislation has stalled. Now what? There’s no sense just waiting around for folks in Washington to revive lost legislative momentum. Organizations can take constructive steps to get ready for national data privacy legislation by:
• Making transparency an important part of implementing data privacy. This includes interactive pop-ups or banners that provide site visitors with immediate data opt-in choices in current website software.
• Complying with current regulations to preserve customer trust. Businesses should expect a “Show me” attitude and be ready to prove that they want to do the right thing for customers and their data. That means taking every opportunity to develop customer trust. Emphasizing transparency and legitimate use principles is a good way to start.
• Becoming familiar with the latest rules. All indications point to national legislation using aspects or approaches of the CCPA or perhaps new state laws. Better not to be blindsided. Know what’s happening in your state today and be ready to translate what you know into easy-to-use website and product content.
• Finding out what customers think about data privacy. There’s no target date for national data privacy legislation. Customers tend to be impatient, however, and will expect organizations to move quickly on transparency and other issues when legislation resumes.
These planning steps can contribute to an agile response to new state and national data privacy laws. But technology has something positive to offer, too.
Preparing for the Future of Data Privacy
Given the increasing pressure for compliance and severity of penalties, it’s no surprise that a bevvy of data privacy management software solutions has entered the market. This class of software:
- Manages enterprise privacy programs to help companies comply with global privacy laws such as GDPR.
- Enables enterprises to store sensitive data in compliance with the law.
- Streamlines and automates data privacy tasks, such as fulfilling DSARs.
These solutions emphasize speedy data processes and constant monitoring that require little or no human attention. In addition to a centralized platform and automated processes (data discovery and inventory; audit reporting; and DSR/DSAR fulfillment), data privacy software management solutions also:
- Discover and classify structured and unstructured data.
- Assess user access privileges.
- Monitor data access.
- Detect data threats.
- Reduce the risks of a data breach
When used together, these capabilities save companies the time, effort, and costs of maintaining data privacy. They also reduce the risk of human error during regulatory compliance assessments.
The global surge in exposure to data breaches and more stringent penalties for not complying with data privacy laws make privacy management software look very attractive to enterprise customers. And there’s no sign that this will stop any time soon.
0 Comments