Jun 02, 2021
Prioritizing Data Privacy and Security
Jun 02, 2021
By Celine Guillou
The protection of personal information is an increasingly important issue for organizations large and small across all industries. On the consumer front, data protection has traditionally been perceived as largely a “tech” issue. However, as data collection and stricter global regulations proliferate, this narrow perception is outdated. The reality is that organizations collect personal information and lots of it: whether it relates to customers, users or employees, data collection is ubiquitous.
Understanding the Patchwork of Data Protection Laws
California, like most other jurisdictions, also requires companies to secure personal information by implementing reasonable security measures. As security breaches skyrocket, having the right security in place is critical—all the more so under the CCPA because it includes a private right of action for breaches of certain unencrypted personal information, with statutory damages that can be very costly.
Organizations based in California may also be subject to other states’ laws, federal rules and regulations (such as the Children's Online Privacy Protection Act if dealing with children under the age of 13), as well as rules outside the United States. This depends in large part on where individuals are located whose personal information is processed by the organization, as well as the nature of the organization’s business activities and the types of personal information processed. Many businesses located only in California are, for instance, subject to the EU’s stringent General Data Protection Regulation (“GDPR”), either because they offer goods and services to individuals in the EEA or provide services (e.g., SaaS platforms) to organizations that are themselves subject to the GDPR. Data protection is a complex web of overlapping rules with which organizations must comply at varying levels, depending on their business and data processing activities.
So What Does This Mean?
Organizations should first take stock of all personal information they hold. At a very high level, this means identifying what personal information is collected, the sources and purposes of collection, and the third parties to whom the personal information may be disclosed. This is also referred to as “data mapping” and it is the starting point for any privacy program.
Once the inventory of personal information is complete, a privacy expert can assess applicable laws, which will each separately dictate what must be done to achieve compliance. One nearly standard requirement is providing accurate and complete consumer-facing policies and disclosures because transparency is a key element of data privacy. Internal policies (that are actually enforced) also guide an organization’s protection of personal information, and even if not specifically required, will demonstrate an organization’s commitment to data protection in the event of a regulatory audit or lawsuit. Agreements with third parties and vendors that involve personal information should also be carefully crafted, because understanding and monitoring the personal information supply chain is critical not only for meeting transparency requirements, but also because many data breaches begin with third-party vendors that organizations have entrusted with personal information they have collected.
The Bottom Line
Not paying attention to privacy and security can negatively impact an organization’s value in the eyes of both consumers and investors. For instance, in the context of funding, investors now almost always require companies to disclose their privacy and security practices. On numerous occasions, I have seen transactions delayed or otherwise impacted because a company simply had no privacy program in place. The same goes for M&A transactions. In addition, while California has been considered a pioneer of privacy here in the United States, other states are catching up. Many states are now considering new privacy laws, and Virginia just recently adopted one, effective in January 2023, alongside the new California Privacy Rights Act, which passed by ballot initiative last year and expands on the CCPA. Finally, with data breaches through the roof, organizations must prioritize security. In other words, it is no longer possible to ignore the fast-changing landscape of data protection laws or the vastly increased security threats.
Developing a comprehensive privacy and security program may be viewed by many as costly, but in reality, much of the legwork can be done internally with the right processes and procedures and with the assistance of experienced privacy counsel to navigate the patchwork of data protection laws. One thing, however, is certain: ignoring data privacy and security is increasingly likely to be a much costlier bet.
Céline Guillou advises on data privacy and security, with a particular focus on U.S. and European data protection laws. She advises clients in a wide range of industries and sectors, including gaming, B2B, e-commerce, Saas, IoT, and hospitality. Céline holds a (CIPP/E) certification from the International Association of Privacy Professionals (IAPP) and is a member of Hopkins & Carley’s Data Privacy & Security Team. She frequently writes about current trends and issues in data privacy and security for The Privacy Hacker.