This movement began in the European Union, which in 2018 replaced its existing privacy rules with the General Data Protection Regulation. This sweeping privacy law provided broad worldwide protection for the personal information of EU residents. GDPR’s reach spread well beyond the European continent, as almost every large American company has some business presence in Europe. Organizations scrambled to understand the impact of these new regulations and update their European-facing websites to comply with the new standards.
In July 2020, privacy regulations hit closer to home when enforcement of the California Consumer Privacy Act began. CCPA provides GDPR-style protections to residents of California. Due to the difficulty of segregating information about California residents, most companies are choosing to apply CCPA standards to all of their customer information. In fact, many privacy experts suspect that other states will soon follow California’s example and pass their own consumer privacy legislation.
Here are a few things that you can do to make sure that your organization is ready for these new regulations and whatever is next on the privacy horizon.
Create Transparent Data Practices
The underlying assumption behind all privacy regulation is that organizations collecting data should do so with the clear knowledge and consent of data subjects and an understanding that data should be used only for previously disclosed purposes.
Allow Consumers to Opt Out
Consent may be given, and consent may be taken away. Consumers should always be able to opt out of data collection and sharing, and organizations must have mechanisms in place to track and honor that request.
Provide for the Right to Be Forgotten
Many privacy regulations now allow consumers to request, in some circumstances, that companies delete all of their stored personal information. This can be a complex technical undertaking, and organizations should prepare to fulfill these requests across their systems.
Understand Your Data
You can’t protect data if you don’t know what you have and where it is located. You also will not be able to implement the right to be forgotten if you don’t have a solid idea of where all customer data is stored. Building a comprehensive data inventory is a prerequisite for many security and privacy controls.
The bottom line is that organizations need to assess their own uses of customer information and their dependence on data sharing practices. New limits on these practices are on the horizon, which will disrupt many businesses. Now is the time to think about changing how your organization handles data and achieves compliance with privacy regulations.