How Organizations Can Stay Ahead of Changing Privacy Laws
GDPR, CCPA, PIPEDA. Privacy legislation is constantly changing these days. We asked 26 business leaders, security pros, and attorneys how to best stay ahead of changing privacy laws.
26 Business Leaders and Security Pros Offer Tips on How Organizations Can Stay Ahead of Changing Privacy Laws
The European Union's General Data Privacy Regulation (GDPR) wasn't the first privacy law on the books, but it was the first major shakeup in privacy legislation to have such far-reaching effects on businesses around the world. Following the GDPR's implementation, U.S. states have begun implementing their own privacy legislation. California was among the first, with the California Consumer Privacy Act (CCPA) slated to go into effect on January 1, 2020. Texas has also implemented privacy legislation, known as the Texas Identity Theft Enforcement and Protection Act, which also goes into effect in 2020, while Nevada's legislation, Senate Bill 220, goes into effect even before the CCPA, on October 1, 2019.
While these and other state-based privacy laws are new, they're already undergoing changes that could potentially impact businesses. Legislators in California, for instance, are continuing to amend and refine the state's legislation before it goes into effect in 2020. With new privacy laws being implemented around the U.S. and worldwide, and changes being made to existing legislation, businesses are facing an uphill battle when it comes to staying on top of ever-changing laws and regulations. To help you establish a process for staying abreast of the latest legislation that impacts your business, we reached out to a panel of privacy experts and attorneys and asked them to answer this question:
"How can organizations stay ahead of changing privacy laws?"
Meet Our Panel of Privacy Experts and Attorneys:
Read on to find out what our experts had to say about how businesses can stay on top of evolving privacy legislation to ensure compliance.
Siddhartha Gupta is the Chief Executive Officer of Mercer-Mettl, a HR technology company and leading talent measurement firm that enables businesses to make precise people decisions in talent recruitment, management, and training across industry verticals.
"Keep a legal counsel..."
To stave off emergent GDPR implementation and data privacy challenges, organizations must have an up-to-date and keen awareness about how compliance to legislation is established at all levels of organizational workflow, systems, tools, and processes. Companies should have legal counsel onboard which can fully comprehend the business operations and the immediacy of adapting to wider digitization wave and Industry 4.0, balancing it with the right privacy laws at the right levels.
Consent Management: Fiercer regulation from governments of different geographies of the kind of data that is collected and what ultimately happens with it will be on rounds. Legislation around what’s ethical in data collection, the privacy issues, the time till which you can use such private data, and user consent after making them fully comprehend the consequences of it will finally take off the ground. It will be of utmost importance for organizations to have streamlined systems and processes to be accountable and answerable in the wake of legislation and increasing government intervention.
Consent management through consent forms is a viable option to stay clear of any impending legislation with clear accountability, including what happens to the data collected, for how long the data would stay with the organization, and how the data will be discarded when the time period is up. Not limited to this, laws and regulations around buying data rights from the end-users have to be developed, comprehended, and implemented.
Johnny Santiago is the Brand Partnerships Manager for Social Catfish. He handles managing content for the blog, customer relationship management, press relations, and branding.
"Privacy laws have been getting a lot of attention recently..."
With the EU releasing GDPR, the United States government and individual U.S. states have had an increase in pressure to do something about the lax privacy laws that are currently in place. If you work with people all over the U.S., such as through a website, you will need to follow all laws in place.
Also, if you have a lawyer that you work with regularly, a simple request for them to update you on all the new laws and how to stay compliant should be appropriate with a small fee.
Jared Weitz has been in the financial services industry for over 10 years. Over the years, he has held positions in some of the largest business financing companies in the U.S. Some of his roles have been: Underwriter, Director of Business Development, Managing Partner, and currently, CEO of United Capital Source, LLC.
"Constantly audit and test the controls your company has in place in order to stay ahead of changing privacy regulations..."
Manage your privacy risk by keeping your existing controls as effective and efficient as possible to withstand a complex privacy risk environment. Place the focus of testing on spotting employee mistakes and weeding out any gaps in the process. By keeping your systems in line with current regulations, once a shift does occur you will be in a better place to make adjustments quickly. No matter what the changes in privacy may contain, be completely transparent with your customers around the intended use of their data.
Nishank Khanna is the VP of Growth at Utility NYC.
"There are two main things organizations should do to stay on top of changing privacy laws..."
1. Assign a dedicated policy owner. Depending on the size of your organization, you want to have a team member whose sole job is to stay on top of upcoming changes and thinking of solutions to stay compliant. Companies that don't have someone dedicated to this role are left scrambling at the end when the deadline to be compliant to a privacy law change arrives.
2. Find the right partners to navigate changes. Changes in privacy laws often come with nuances that can be overwhelming to navigate alone. GDPR is a prime example. When GDPR came about, organizations had to make costly changes in their infrastructure to be in compliance. Bringing in an agency or partner who is focused on compliance as a business helps make changes easier on your internal team.
Matthew Ryan is an attorney with the Flushing Law Group located in downtown Flushing, NY. Matthew has been a practicing attorney for nine years with expertise in business litigation. His areas of expertise are in servicing clients in the areas of complex business litigation, employment and labor law, and UDRP disputes.
"Every business organization is unique in terms of…"
Their obligations under the law with respect to the duties owed to customer and employees under the ever-changing regulations of privacy law. To that end, an organization would be wise to recognize the particularities of their business channel and what best practices they need to engage to ensure they are properly complying with the storing and using of personally identifiable information of individuals. One way to stay ahead of privacy laws in your business niche is to subscribe to trade magazines and legal journals in your business category. Ultimately, however, the best way to stay ahead of the curve on legal developments in your business category is to consult a data security or privacy attorney who can best inform you of recent developments in the law and pending litigation that may affect your business practices.
Douglas Crawford has worked for almost six years as senior staff writer, security researcher, and resident tech and industry expert at ProPrivacy. He has been widely quoted on issues relating cybersecurity and digital privacy both in the U.K. national press (The Independent and the Daily Mail Online) and international technology publications such as Ars Technica.
"Companies have two main options when it comes to maintaining compliance with evolving privacy regulations..."
They either try to skirt the laws as much as possible, attempting minimal compliance with the latest changes, or they can embrace the ideals that drive the push for more and stronger privacy laws.
Needless to say, the latter option should be preferred on both moral and practical grounds. A genuine commitment to protecting users’ privacy should ensure that robust systems are put into place that easily outpace the rules put into place by legislators who need to balance idealism with political expediency.
What this means in practice is putting the interests of customers first. Writing simple plain-English privacy policies that people other than lawyers can understand, providing a genuine commitment to protecting customers' privacy instead of seeing their data as a resource to be mined and sold to advertisers, and so on. Polices that place users’ privacy first and foremost may have some short-term negative consequences, but the long-term benefits of having a loyal customer base which genuinely trusts the company should outweigh such concerns.
Dan Goldstein is president and owner of Page 1 Solutions, LLC, an Internet marketing company serving attorneys, doctors, and dentists. He has published numerous articles and is a frequent speaker on internet marketing topics. Goldstein is an attorney and is licensed to practice law in Colorado.
"My advice to businesses and other organizations: Read the writing on the wall..."
Consumers are placing increased value on their privacy, and legislators are starting to take notice. The best way to stay on top of and even keep ahead of changing privacy laws is to know where your customers are located. One of the unique facets of this growing area of regulation is the cross-jurisdictional nature of the laws (ex: GDPR applies to all websites serving users in the EU regardless of where the organization, server, etc. is actually located). To maintain compliance, you need to know the rights your customers have under their local laws and revise your website and business operations accordingly.
Mike Catania is a six-time entrepreneur and the founder of the coupon community PromotionCode.org.
"A lot of American companies with toeholds in the EU have already had to make changes to…"
Their privacy policies to comply with GDPR, so American companies without that European presence should start by looking there for insight as to how the U.S. might regulate online privacy. The biggest challenge that companies in the U.S. will face will probably come in the form of proactive consent and trying to anticipate what that will look like based on European models. With the ubiquity of data breaches, Americans are largely densensitized already, but future regulation would likely also touch upon how users affected in a data breach must be notified and what forms of remediation will need to be offered. All told, aiming for GDPR levels is a good start, and if nothing else it puts forth a roadmap for your digital privacy strategy.
Arlo Gilbert is the CEO & co-founder of Austin, Texas-based Osano, a B-corporation focused on creating transparency in data privacy.
"Every single week we see a new data privacy law proposed…"
We pay in-house counsel to analyze those laws and provide suggested actions to our customers. Those laws run the gamut from the absurd to the amazing. With a complex political atmosphere in Washington, it seems that there is little likelihood of federal privacy legislation in the next few years. As a result, companies are forced to comply with a conflicting patchwork of state, regional, and foreign laws with regards to data privacy.
What can a company do to manage an ever more complex regulatory environment?
First, we highly recommend monitoring all data privacy legislation. Most law firms and in-house counsel have access to tools or can buy tools that will provide near real-time reports about legislation that may affect their business.
Second, identify the most restrictive laws and behave as though every single customer lives in that most restrictive area. Although this can mean changing business processes, inevitably this is the only way to ensure that a regional enforcement action won't impact you.
Third, include other organizational units when building your privacy approach. Too often, the legal department writes up complicated documents but marketing didn't get the message. We've repeatedly seen companies where the C-suite intended to abide by privacy laws but a product, engineering, or marketing lead made a decision without any awareness of the company's new privacy focus.
Finally, privacy compliance is complicated and requires allocating budget the same way that you allocate budget for security. The companies who treat privacy not as a burden, but as a feature to promote, will see their brands succeed; those who don't might not survive.
Adam Goulston is a U.S.-born, Tokyo-based copywriter, editor, and content manager. His company Tsujiru serves globalizing Asian businesses.
"The U.S. has generally more lax data privacy laws compared with those seen in Europe..."
Legislation like the GDPR, various PDPAs, and Canada’s PIPEDA doesn’t emerge from nowhere. Legal pros have a duty to keep up on these things. Organizations themselves should regularly update their employees' knowledge on data protection practices, especially in their states and/or countries, as well as with partner business countries. Linkage of systems is creating new problems as well, because each system in a stack must be effectively secure. That needs to be confirmed both via IT and legal staff. And specific industries that deal with high volumes of sensitive data on a daily basis – such as financial, medical, and telecom – must know their individual guidelines as well as the overarching legislation. To stay up-to-date, continually audit systems and human resources, and to stay ahead, have trusted legal guidance concerning region, industry, and technology.
Jan Youngren is the Cybersecurity Expert at VPNpro.
"The biggest concern with regards to changing privacy laws is for the SMBs that don’t necessarily have their own lawyer that keeps everyone up-to-date..."
The good part is that those changes don't come that often to put your organization in jeopardy after one amendment.
Clearly, the last year's GDPR reached not only Europe as it had repercussion to anyone who's dealing with EU residents. The upcoming California Consumer Privacy Act (CCPA) will also be discussed widely as January 1, 2020, approaches, but in a sense, it's similar to the GDPR. If all goes well, a federal privacy law should sort out everything for good.
To make sure that your organization isn't breaching any privacy laws, you simply shouldn't monitor, collect, or store any user's data that's not required to grant him the service. And if the storage is needed, it should be done following security standards, such as having the data encrypted.
Basically, whichever legal changes are made, they match the principle of the consumer's "Right to Know," "Right to Access," "Right to Opt-Out," and "Right to Deletion." If you follow these four principles, it's highly unlikely for you to end up in trouble. Finally, hiring a privacy law consultant would be a good idea as the cost of her service will be of no match to what your organization risks paying for failing to comply with one or some of these regulatory acts.
Aki Estrella is a consultant and advisor with 16 years of experience with privacy, regulation, law, and technology. She has held positions as a business attorney and as a consumer protection attorney. She has been a featured speaker on the intersection of technology, regulation, and innovation. She's passionate about privacy.
"First, they should start thinking about privacy laws as being inevitable..."
There is no 'if,' it's only a matter of when. GDPR had a huge impact on how American lawmakers started to think about privacy and regulating it. Privacy scandals, data mining, breaches and hacks of organizations created a perfect storm. In the next 5 years, expect most states to have a privacy law on the books with a dedicated privacy regulator doing privacy enforcement. The federal government is also likely to try to pass a broad privacy bill but U.S. state laws, for the most part, will still need to be complied with.
Second: They should find a solution within their budget to track privacy laws in the areas that they operate in. States are currently ramping up privacy legislation that bear a variety of consequences from class action lawsuits to regulatory penalties. They can use a subscription service if their organization already has a legal or compliance team or hire a full-time privacy manager. An effective in-between measure is to hire an attorney or, when costs are an issue, a privacy consultant. A privacy consultant can offer solutions, privacy audits and on-going advice, depending on their background, and will likely cost less than an attorney because of reduced overhead and smaller size.
Third: They should start think of and implementing policies now that will mitigate cost and risk of privacy law compliance that is definitely coming. Here are some suggestions for organizations of all sizes.
Consider data holistically: Thinking about the types of data you collect or use in your organization, whether it's absolutely necessary and whether the people you collect it from know about the use/collection will help them start the process of considering what their policies should be. Remember, everyone has data, not just your customers. Your employees, your vendors, your business partners, your networking contacts.
Segregate information: Everyone who interacts with your business has data that your organization probably uses so thinking of what those categories are and beginning to segregate them is an important step. Once you identify that information, you're in a better place to begin thinking about how you want to define policies for it and how to sort through it when people ask for it.
Prepare to respond: Like the GDPR, the state privacy laws (and any potential federal privacy law) generally have a customer request function built in. A customer can request what data you have about them and your org will have a short time to offer an accurate response or you'll be faced with fines, penalties and possibly suit. Prepare your response and use your newly segregated information to easily pinpoint where to look to dispense the appropriate information.
Train your staff: There will be a need to respond to people quickly. When thinking about how you want to approach your data for the inevitable privacy law in your jurisdiction or the places your organization reaches, include your staff, educate them on data handling and privacy practices, and ensure that your privacy/data security training is top notch. It's a bit of money up front but it can save your organization's reputation and money down the line.
Jodi Daniels is Founder & CEO of Red Clover Advisors, a certified Women's Business Enterprise data privacy consultancy, helping companies create privacy programs, provide operational support to achieve GDPR or CCPA compliance, and serves as a fractional privacy officer.
"Companies can stay ahead of changing privacy laws by creating a strong privacy foundation throughout the organization..."
This means that privacy is baked into the operations of the company. With each new project, marketing strategy, or vendor hired, privacy is considered at the beginning of the process. As a part of the regular course of business, the project would include a review of the privacy notice to ensure it accurately reflects the new use of personal data, a privacy impact assessment would be performed to ensure that privacy and security requirements are met or mitigated, and employees know their role in protecting data. When privacy is at the core and root of a company, a new law is not overly burdensome and the business will be nimble at adapting to it.
Prof. Ralph R Russo and Prof. Mark Melasky Esq.
Ralph Russo is the Director of the Tulane University School of Professional Advancement Information Technology Program, where he is focused on keeping learning delivery and the Applied Computing curriculum on pace with cutting-edge technology, security and industry advancement.
Mark Melasky is a Registered Patent Attorney in New Orleans, Louisiana. Mark is licensed to practice law in Louisiana and before the United States Patent and Trademark Office in patent cases. His practice includes patents, trademarks, copyrights, trade secrets, and related intellectual property and business formation matters.
"Privacy laws are changing at a dizzying pace in some places while stagnating in others..."
How can an organization stay ahead of the curve in order to reduce risk to their business while maintaining and ensuring compliance with the laws of various jurisdictions?
Facebook is an example of a huge company, with billions of dollars on the line, that completely missed the changing public mood around privacy. However, Zuck and company aren't the only organizations that have run afoul of these shifting moods, resulting in damage to reputation, poor optics and increased risk. Think Uber, Ancestry.com, and many others.
Some of this concern and pain relates to failure to secure systems, resulting in data breaches (US OPM, Equifax) which ultimately result in privacy concerns. This risk to the business bottom line is being addressed by massive spending on cybersecurity personnel, process, governance, and hardware/software.
The other privacy concern, however, is caused by companies aggressively sharing user information, selling this information or connecting this information in a way that indicates they have misread public/customer reaction. This latter problem, caused by zealous pursuit of market share, is the one that is largely unaddressed in many organizations, at least in a comprehensive and integrated way. How then to find the balance between delivering the next big technical efficiency, entertainment system or product and the risk of a huge privacy problem?
To address this issue, organizations should designate a C-level leader to examine company changes, product additions, acquisitions, and strategy purely from a privacy perspective. In fact, the role of Chief Privacy Officer (CPO) is already on the rise, as companies recognize the dollars at stake by mis-reading these shifting sands.
However, the role must be more than a policy wonk, and should include an array of responsibilities and support. Like a legal advisor, this role should be included in major decision-making process to weigh in on risk related to privacy. To insure the CPO role is extending beyond policy on the "known," the CPO should be supported by a board consisting of NDA-constrained non-employee attorneys, technologists, entrepreneurs, and culture-leaders that can best weigh in on laws, cases, news, movements and the cultural sharing tolerance of segments of the public at any given time – in a way that is free of the corporate echo-chamber and "yes" men. The Board would then provide advice on risk to senior leadership through the CPO.
This entity would be responsible for recognizing potential legislation and reviewing and researching emerging legislation and for tracking court decisions. This entity would need to be able to keep their "ear to the ground" on trending zeitgeist around privacy, including privacy advocacy movements, and other privacy-related trends and technologies.
In this manner, companies would be assured of getting input on critical decisions from not only their technical gurus, legal eagles, and financial wizards, but also from someone who can weigh in on the potential risk of blowback, resulting in reputation/brand damage and responsive legislation. Additionally, organizations should be aware that courts will view an organization’s actions in hindsight through a negligence standard once an incident occurred because "of course they should have seen it coming," and this approach, functioning properly, will show affirmatively that an organization is performing due diligence with foresight.
When reviewing legal decisions on privacy, team members should be aware that evolving laws may not be uniform, so organizations will need to have a plan in place to ensure compliance with each jurisdiction’s requirements should an event occur. Organizations should ensure that end user license agreements (EULA) memorialize plans to share user data and should have these agreements reviewed to ensure compliance with privacy regulations.
Lastly, by investing in a well-structured privacy infrastructure that is sensitive to the public's limits on data sharing, companies can also be positioned to get out their own story via social media directly to the public before they are attempting to defensively counter negative news reports and social media.
Rita Heimes is the Research Director, DPO, and General Counsel at the International Association of Privacy Professionals (IAPP), the largest and most comprehensive global information privacy community and resource.
"Organizations need to adopt policies reflecting their values when it comes to their customers' and their employees' privacy..."
They should appoint or hire someone to be a privacy expert and champion, give that person authority to influence product design and implementation with regard to privacy and data ethics, and educate everyone in the organization who touches personal data about the company's privacy values. By institutionalizing data privacy as a core value – much like environmental sustainability or diversity – it will be easier to react to specific legal obligations because the infrastructure, personnel, and awareness will already be in place.
Privacy also isn't just one person's job. It will need to be the responsibility of everyone handling personal data or developing products that collect, analyze, and rely on personal data. Companies should add privacy awareness to their job requirements when hiring executives, managers, programmers, developers, and engineers. Deep institutional awareness and commitment to privacy will make it much easier to comply with new laws – and even go beyond compliance.
Sweeney Williams is Vice President of Security, Privacy & Compliance at Vision Critical. A security and privacy leader with more than 10 years of experience managing complex, globally dispersed cloud compliance operations, he provides best practice guidance to business stakeholders and customers to assist, advise, and educate on all aspects of data privacy and security.
"Businesses need to stop approaching privacy compliance as a point-in-time, regulation-specific effort..."
Privacy laws are evolving at a pace that is simply too rapid for this outdated approach to scale. For this reason, focusing on the foundation of what privacy laws aim to achieve will yield the greatest returns. Specifically, protecting the rights of individuals to access and control their personal information, collecting it with consent and being transparent about its use, and defending it against unexpected or unauthorized disclosures.
This is not meant to convey that businesses who take these steps need not follow new developments in privacy law (they must of course monitor or they will fall out of compliance), but the approach noted here will always serve as a solid platform for complying with any new regulation. Most importantly, businesses must ensure that a culture of trust and responsible data handling exists within their organizations and there needs to be a commitment across all parts of a business to succeed on this front. We’ve all heard the saying 'culture eats strategy for breakfast,' but perhaps it is time for a new one:
Culture eats compliance for breakfast.
Morvareed Salehpour is a Managing Partner of Salehpour Legal Consulting.
"Companies can stay ahead of changing privacy standards by…"
Putting in the appropriate forethought into structuring business policies and procedures. For example, that means already putting in the efforts to comply with the California Consumer Privacy Act that goes into effect January 1, 2020 versus waiting to the last minute to attempt compliance.
Sam Rooi is Product Manager at Intrepid Wellbeing. Intrepid Wellbeing is a technology and content platform providing health and wellbeing tips and tools for active individuals and families.
"Small organizations will always lack the legal manpower to…"
Stay on top of ever-shifting privacy laws, and the problem is far worse for Internet-based business models where jurisdictional issues raise major complexities. Europe's GDPR is a perfect example, whereby countries outside of Europe have had to practically apply the GDPR standard for all their users because applying standards at a fine granularity is cost prohibitive or sometimes even impossible.
To stay ahead of changing privacy laws, it's best to adopt a data design philosophy in product management. Some technology startups can be very data hungry, collecting as much data as they can, with the hope that at some point in the future they will be able to analyze that data to uncover insight that can propel future growth. With our product management philosophy, we are a lot more selective about what data we collect, and we are especially resistant to collecting PII (personally identifiable information) because the use cases that require us to collect PII provide relatively little value to the end-user or our business. With this least data product management philosophy, we don't necessarily keep up with the latest changes in privacy regulations around the world, but we have reduced our risk substantially.
Theodora Stringham assists individuals and businesses with growing successfully while minimizing liability. In her employment law practice, she provides assistance with growth issues including talent and idea retention, discipline, and discrimination claims. Ms. Stringham's representation ranges from identifying potential liability and providing counseling/trainings, all the way through representation at trial.
"Best practices surrounding privacy laws must include a well thought-out and communicated policy..."
Everyone on the team (from the bottom to the top) should be aware of how sensitive information and data should be treated. From my experience, this includes training sessions that include real-life examples to fit the evolving nature of the organization. Without this constant communication/reminder, many policies are often forgotten, putting the entire organization at risk. It only takes one person’s mistake to cause a huge problem.
Katie Martinelli works as a Learning and Development Analyst for High Speed Training. Following her masters’ degree, Katie moved into the eLearning sector to consult on training course content, with particular focus on legislative changes in the U.K.
"Ensuring legal compliance should be a key part of every organization's strategy and objectives..."
While it can sometimes feel like a losing battle to keep on top of constant regulatory or guidance changes, there are some easy strategies you can implement to ensure you remain compliant.
To stay on top of changing privacy laws, a few methods you should consider include:
Keeping all policies up-to-date. Each policy should have a dedicated staff member or team in charge of ensuring it's accurate and in line with regulatory changes. Allowing your policies to expire will not put your organization in a good position to proactively meet changing compliance requirements.
Ensuring there is effective communication within your organization. It’s important that your organization effectively communicates policy or procedural changes to everyone. This will ensure all staff members understand any changes to their duties as a result of amended regulations. All workers should know where to find relevant handbooks or information, as well as the deadline for completing training and who in the company they should contact if they have any queries.
Using online training. Online training offers greater flexibility compared to face-to-face alternatives. Gone are the days where you have to carefully consider the logistics of getting all your employees in the same place at the same time. Online training provides your staff with the ability to undertake training anywhere, at a time that suits them. Look for a company that offers a management tool that allows you to track everyone's progress, this way you’ll ensure that all your staff understand how to meet their legal duties and won't have to worry about anyone missing training.
Finally, it's important to ensure your employees are aware of any upcoming changes. Keep them in the loop, remind them of necessary deadlines, and promote the benefits of compliance. Ensure managers and supervisors are on board, positive, and proactive about any changes. Building a top-down positive culture surrounding compliance within your workplace will make it much easier when you need to react to changes.
Annalisa Nash Fernandez
Annalisa Nash Fernandez is a specialist in world cultures, focusing on cultural elements in technology and business. She holds a dual background as corporate strategic planning director in global emerging markets, and linguist, and earned a BS in finance from Georgetown University, and MA in translation from University of Wisconsin.
"To stay ahead of changing privacy laws, look across borders..."
U.S. laws regarding privacy are relatively new in our history, and have developed largely by precedent, industry by industry. The U.S. is now moving closing towards a European privacy framework, which focuses on human dignity and personal privacy in ways that may foreshadow what is to come in the U.S. But privacy is a cultural construct, and the emerging legal system surrounding it is likely to remain geographically decentralized in practice. As a result, organizations must be aware of privacy laws globally as they expand their reach into new international markets.
Shawn McBride is a corporate lawyer (licensed in 12 states and D.C.) at McBrideAttorneys.com, CPA (in three states), host of The Future Done Right (TM) Show on the future of business on YouTube, and frequent speaker on the future of business.
"The key to staying ahead of privacy laws to have a monitoring and compliance campaign..."
New laws should be studied as soon as they are adopted and a compliance plan should start then. Often, systems and processes need to be changed in light of the new laws.
Some companies may decide to withdraw from some markets based on the changes (as some companies did with the GDPR). These are big impacts that need to be well considered early in the process.
A coming trend is deglobalization, and it may be a reality that smaller companies need to go back to focusing on one region due to the regulatory landscape.
Jaykishan Panchal is a Content Marketing Manager at E2M Solutions Inc. and implements digital marketing strategies to help businesses strengthen their online presence.
"GDPR and California's Consumer Privacy Act of 2018 have marked the beginning of rising stringent data privacy regulations worldwide..."
You can stay on top of these changing regulations. Here’s how:
Designate an in-house team or individual to track global, national, and regional privacy law changes. This team or individual should analyze and filter the collected information and stream it as direct alerts or email notifications to other team members.
Create a uniform taxonomy to convey the regulatory changes to the team members. Consistent language, terminology, and information structure facilitate communication and execution.
Maintain proactive communication to ensure real-time outreach to your subscribers about relevant policy changes. Be transparent with your consumers about how you intend to use their personal data.
Collect the data yourself instead of relying on third-party resources for better control over the data flow and its legitimacy. When using an outside resource, have an accountability system to check the impact of third-party policies and standards.
Evaluate the potential impact of regulatory updates on your current business practices in detail and make the necessary changes in advance.
Ensure your current business practices aren't over-reliant on data with high privacy risk. Find an alternative to mitigate potential risks.
Mathias J. Klenk
Mathias J. Klenk is the CEO and Co-founder of Passbase. Passbase is a digital identity platform backed by verified government documents, linked social media accounts, and biometric signatures.
"Companies should move away from aggregating and collecting data about their users..."
The future of security must lie in a privacy-centric architecture where users can maintain the same ease of use – without friction – while having control over their data. This is crucial to fighting identity theft and privacy attacks.
With data privacy laws like the GDPR and CCPA, companies need to ensure that the information they collect – which includes biometric and sensitive data – comply with the regulations. Organizations will need to be transparent on the personal data collected, manage requests for deletion of data, and ensure policies against reselling data are in place.
This highlights the need for organizations to rethink their identity verification process to one which gives users control over what data to share and who to share it with.
Judy Selby is the principal of Judy Selby Consulting LLC and a partner with Clearview Privacy Consulting, LLC. She assists companies with their privacy compliance needs and with securing insurance for today's emerging technology, cyber, and privacy risks.
"Organizations need to keep the fundamental spirit of privacy laws top of mind..."
Complying with the letter of each applicable and prospective privacy law can create significant operational and budgetary challenges, especially for enterprises that operate in multiple jurisdictions, and it's hard to do everything at once. But organizations should remember that even though each privacy law has its own specific requirements and nuances, today's privacy mandates are largely based on similar fundamental principles, which include the concepts of knowing what data you have and where you have it, collecting only what you need, disposing of what you don't need, and employing reasonable security measures. Organizations that prioritize, execute, and document these steps are likely to be way ahead of the game when new privacy mandates are issued.