A year ago, on 25 May 2018, the General Data Protection Regulation (GDPR) law became enforceable. Across many industries, CISOs and senior management worried that the GDPR’s “least data necessary” collection requirements would greatly restrict, or even end, long-term working practices — especially for marketers.
So where are we today? Everywhere you look data protection has risen to the top of the agenda. Take a look at Facebook’s annual developer conference or Microsoft Build, and all you will see is the word privacy. While GDPR enforcement gained consumers privacy rights, businesses lost money from increased compliance and fines..
What Trends Are We Seeing as Organizations Move to Adapt to GDPR Requirements?
Consumer Voice Creates Risk: Consumers, rapidly becoming more privacy-conscious, increasingly voice their concerns. Facebook’s lack of governance over privacy controls made the everyday-user concerned about their information. Calls to action spread across the internet, increasing consumer scrutiny over their online activities and permission granting. The word “cookie” now has meaning outside the confines of dessert.
Businesses Move Away from Third-party Ad Tracking: The barrage of privacy notices on 25 May 2018 made consumers hyper-aware of the way websites tracked their information, sometimes for the first time. In response, businesses moved away from third-party ad trackers not just for compliance purposes but to respond to customer demands.
How far does GDPR go?
Alexa is moving into healthcare. Following a trial of Amazon’s smart speakers in patients’ rooms at Cedars-Sinai, the company this morning announced an invite-only program allowing select developers to create and launch HIPAA-compliant healthcare skills for Alexa. Voice is becoming a huge concern and a huge risk. When you think personal data, you have to think outside the box. Everything is a risk. Example: UK Tax Agency to Delete 5 Million Voice Files After GDPR Violation.
U.S. State Governments Took Notice: California enacted the California Consumer Privacy Act which may be the beginning of a new Online Privacy Revolution in the United States. Similar to the GDPR, companies selling products to California Residents, whether living in the state or temporarily outside the state, need to provide customers rights to decide how their information is shared and the ability to obtain it upon request.
What to Do? Act Now, and Act Fast
If you haven’t acted to ensure your company meets GDPR requirements, start today. With the exception of Google, the number of fines and their values have been low compared to the number of disclosed breaches. However, this reaction is due, in part, to regulators in some countries remaining unaccustomed to the increased supervision and coordination roles they now play.
All compliance begins with risk. To meet privacy compliance requirements, organizations need to know the types and locations of all data assets. Every organization must start with a solid personal data inventory.
Privacy compliance requirements are more than securing information, they focus on allowing people to have control over the amount and type of information they share. This means focusing on consent to share and creating data collection policies that limit information based on need.
Data security is the final piece of the privacy puzzle. You need to be focusing not just on your own security, but on the security of third-parties with whom you share data. A strong security posture helps protect data privacy, but you can only do that by continuously monitoring your ecosystem.
A Fragmented Future or an International GDPR Approach?
The implosion of the Washington State proposed privacy law arose from a series of amendments that mimicked those contained in the GDPR, including standards governing facial recognition and other biometrics. Meanwhile, in April 2019, the Texas House Committee on Business and Industry moved its privacy bill to the House floor, indicating that other states may follow California’s lead.
The continued fragmentation of privacy laws in the United States, currently creating an entangled morass as the internet crosses state lines, may be the final catalyst for federal oversight. On May 21, the U.S. Senate Judiciary Committee unanimously agreed that the US needs a federal privacy regulation, yet what this would look like remains up for debate. A federal privacy law needs to preempt state laws while continuing to follow many of the guidelines set forth in them.
With many state laws mimicking the GDPR, either the fragmented state law approach or the unified federal regulatory approach will require focusing on GDPR compliance requirements such as right to opt-in and data portability. To prepare for the future, companies need to start looking to the past.