GDPR, Data Privacy, and Your Next Big Lawsuit
By Patrick Callahan, Neha Khanna, and Ben Kates
Over the past two years, a distinct spotlight has turned on how companies are using — and often misusing — consumer data. Among many, three key events have brought this to the forefront of national discussion:
- Public awareness of the misuse of data in the Cambridge Analytica scandal
- The recent enactment of the General Data Protection Regulation in the EU (GDPR)
- Legislation in California (CCPA) and various other states focused on consumer data privacy.
As a result, many of our clients are working with us and looking internally to see if their processes, practices, procedures, and data collection systems are capable of meeting the requirements of privacy laws (locally and globally).
The last thing an organization wants is the threat of a lawsuit, much less finding themselves on the cover of the New York Times or Wall Street Journal for poor practices in leveraging consumer data.
Is Your Organization Subject to GDPR or California’s Consumer Protection Laws?
So, how do you know if you should be concerned? If you answer yes to any of the following questions, your organization should have a plan:
- Do you collect user data on your website through tools like Google Analytics or Adobe Analytics?
- Do you send data to a third party advertising network like Google or Facebook?
- Do you allow visitors to subscribe to an email subscription?
- Do you allow users to make transactions on your website?
- Do you have a login/account feature on your website?
If you answered yes to any of the above questions AND you generate over $25 million in annual gross revenue in the United States OR collect data on over 50,000 users from California each year, you should be looking at your practices and systems to ensure you can be in compliance. By January 1st, 2020, organizations will need to be able to:
- Give users the option to opt out of selling data to third parties.
- Give users all data you have about them within a 45-day window.
- Delete user accounts and all associated data upon request.
- Have a line of communication to users and their information retrieval/deletion requests.
While there are many ways to make data privacy compliance more manageable, consider looking through the steps below to help you on your journey to GDPR Compliance:
- Access: The first step toward data privacy compliance is to access all your data sources. Investigate and audit what personal data is being stored and used across your data landscape.
- Identify: Once you have access to all your data sources, identify and categorize what personal data can be found in each; such as names, email addresses and social security numbers.
- Govern: Privacy rules must be documented and shared across all business lines. This is the best way to ensure that the data can only be accessed by those with proper rights.
- Protect: It is extremely important to set up the correct level of protection for data. For data privacy compliance, we can use three techniques to protect data: encryption, pseudonymization and anonymization.
- Audit: The fifth and the final step involves auditing to be able to produce reports clearly that comply with the regulations and also protect the personal level consumer data
Future of Privacy 2019
As of now, multiple countries are implementing regulations inspired by GDPR principles, a movement that is likely to continue into the foreseeable future. Security and risk management leaders are taking note. Gartner, in their 2019 prediction for privacy, states “By 2020, the backup and archiving of personal data will represent the largest area of privacy risk for 70% of organizations, up from 10% in 2018.”
Today, data-driven organizations hold consumer data with large volumes of personal information that is both sensitive and vulnerable without the clear knowledge of how to use it. Because sensitivity is a constant characteristic and vulnerability is arguably important, this volume of data dictates the level of risk and represents the largest area of privacy risk today. Additionally, privacy regulations have introduced penalties and stiff fines for violations, making the risk of holding unused personal data potentially very expensive
Over the next two years, the organizations that do not revise data retention policies to reduce the overall data help will face huge sanction risks for noncompliance as well as the impacts associated with an eventual data breach. CompassRed is working with several partners to mitigate this risk, especially when it comes to the management of the data.
If you are unsure of how the existing GDPR legislation or upcoming CCPA legislation impacts your business, consider a data audit. Let CompassRed be your data partner in your efforts to protect your users’ privacy.
