First came the GDPR, the European Data Privacy Rules. Next came the California Consumer Privacy Act (CCPA), which became effective this year on Jan. 1. And now many, if not all states, are grappling with coming up with their own set of rules and regulations to address the significant privacy concerns of individuals regarding the protection of information that they deem to be private. While there are similarities between GDPR and the CCPA, as each state drafts and enacts its own laws on the subject, there will be many variations, from obvious to subtle, in both language and terms. As a guideline for managing these laws that may be nothing more than vaporware in most states today, but an eventual reality, what follows are some critical thoughts that should be considered now, before the crazy state-by-state quilt of privacy laws containing very specific but different terms is upon us.
Underlying any enterprise privacy management issues must be the creation and systematic updating of a business case for using, storing, and maintaining personal data. It’s imperative that proper justification for collecting data be the very foundation of the ongoing management and implementation of any compliance issues. Is there another way, other than the use, storage, or maintenance of personal data to achieve the same result? This is the first question that MUST be asked before building policies designed to not only protect the data but to protect the enterprise itself if and when things go awry down the road. A secondary obligation is simply that an enterprise must have a firm grip on the requirements and risks of using the data that it has. But the bottom preliminary line is that proper justification for the data collection in the first place must be the foundation of any policies or systems that involve the use of personal data; however, that magical phrase is defined. It’s the same whether you’re building a house or a policy – a strong structural foundation will allow for flexibility as interpretations change.
Once it is determined that fundamental structure is in place, the next gargantuan task is the management of deployment, use, and maintenance of the systems that use personal data. To the extent possible, processing activity relying on, or using personal data, should be processed as transparently as possible. Secondly, consumers must be able, with ease, to exercise their rights. That is a 10-page disclaimer in small print about how an individual can “opt-out” will not pass muster virtually anywhere. Where “opt-in” and “opt-out” capabilities are required, they simply must be easy to access and use. Period.
On the inside, it’s imperative that personal data that’s been collected be used in a manner that’s consistent with the stated purposes of such collection and the notice(s) provided to individuals whose personal information is in use.
Next, data should be updated as needed, while continuing to respond to consumer rights and ensure that personal data is shared with outside entities that meet the same—if not more strict —levels of adherence to statutory or other privacy policies, as well as security requirements.
Also, as soon as personal data is no longer needed, it should be appropriately and safely discarded. Key emphasis here might be on the “safely” part. Simply deleting it may not be either sufficiently secure or appropriate. Circumstances will dictate the level of care required for this critical step.
Lastly, an enterprise that holds personal data must behave consistently with the policies that it has put in place. As applies in many other contexts as well, a policy is not worth the paper on which it’s written if it’s not strictly followed and enforced. And here, where there is so much at stake, and where breeches—particularly the big ones—often reach the nightly news and can thus have a significant impact on an entity’s bottom line, compliance with the law, as well as with in-house policies, is absolutely essential.
As is always the case with policies, prudent practice dictates that such policies be reviewed and updated, as necessary on a regular (quarterly/annual) basis to accommodate changes in circumstance, whether those changes be legal, practical, or simply based on the publicized missteps of others.
