Organizations have focused on shoring up their security posture for the past ten or more years, primarily stemming from phishing attacks that result in an organization being held hostage for ransom while they were trying to protect their data—in most cases, unprotected to a large extent.The organizations hired a cadre of professionals specializing in intrusion detection and prevention and building a fortress around the organization while ensuring the business continues to function.
Over the past recent years, there has been a new focus on protecting the data that originates from a company's consumers or customers.Social networks have become a bastion of places to drive business to an organization by capturing and profiling a consumer based on perceived activity across multiple company websites.Car manufactures, for example can glean what type of car a consumer is interested in and drive ad banners across multiple platforms to drive an ultimate sale for the particular car or truck.Food manufacturers collect interest information and subsequently drive ads that drive a consumer to buy that product.All this activity is happening in milliseconds, not to mention millions of dollars spent every minute to drive a consumer to buy more.
Unfortunately, all this activity has been happening without the consumer even knowing it's happening until the past few years.Facebook and Google for example have come under closer scrutiny by governments to protect the privacy of consumers.Laws have either been passed or are being considered by states or local jurisdictions to stem the tide of consumers data being used willy-nilly.
The European Union wrote standards and guidelines as far back as 1995 to encourage companies to respect the privacy of their consumers. Companies seemed to virtually ignore the standards, so the EU drafted and passed the General Data Protection Regulation (GDPR) which became the force of law in May of 2018.
The State of California followed by a ballot initiative the same year which was quickly written into law virtually overnight by the California Legislature and signed into law in June 2018 by then Governor Brown to have the force of law this past January 1, 2020.
Consider the following chart maintained, published and updated monthly by the International Association of Privacy Professionals (IAPP).
Canada, Australia and several other countries adopted new privacy laws as well requiring companies to protect their consumers privacy and most importantly their data.
How does a company decide whether a privacy law is applicable?
Here are some early steps to consider.
Caution : Just because the consumer or the accompanying data is exempt doesn't preclude your company from protecting that data from breach by applying encryption or obfuscation that prevent bad actors from exfiltrating the data and holding your company hostage.
Determine if your company meets the provisions of a privacy law by annual revenue and number of consumers.
Your organization should consider the following examples of when a company must comply with a particular privacy law:
What is your company’s demographics for consumers in a particular geographic area?
Determine what elements of personal data may be exempt from the respective privacy law.
Each organization should have a good understanding of Consumer Rights pertaining to a particular privacy law before conducting privacy impact assessments and data mapping exercises. Consider the following infographic from the GDPR Awareness Coalition for a basic understanding of consumer rights pertaining to GDPR. They made an infographic which summarizes some essential data subject rights, in this case called consumer rights in the infographic.
GDPR Consumer Rights – or some data subject rights such as the right to access, data portability, rectification, erasure and more from a consumer view by the GDPR Awareness Coalition.
The Gramm–Leac–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, affect consumers in many ways:
The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, was passed in June 2018 and has taken effect starting with 2020, now affects consumers and companies many ways. It provides the California consumers with certain rights including:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted during the Bill Clinton Presidency in 1996. It gave patients many rights, which were previously unknown to them regarding their healthcare data and the ability to own and transfer their data to other medical professionals on request. It further allowed then with the following:
There are several factors to consider before purchasing or building a sophisticated application to service consumer rights for your organization.
There are several companies that have the experience and technical ability to help your organization build the right consumer privacy application.
Most privacy laws have provisions that require organizations apply adequate security controls that are designed to thwart bad actors attempts at ransomware attacks. Here are some of the minimum adequate security controls.
Following these simple steps will prepare your organization for compliance with privacy laws. With a will designed consumer privacy application, your organization is ready for a good privacy by design.
For many companies, data privacy will not be a new system that merely tracks interactions with customers, members, subscribers and alike, and reports back to them on the personal data a company has in its possession. Rather, it is a new shift in understanding what companies do with the personal data they have accumulated over many years. It is becoming evident that more does not always mean better or vice versa. The data privacy is a cultural change for many companies. It is here to stay. The legislations around the world will only get more focused and restrictive. The current controls or data retention policies in many companies do not properly and adequately enable employees with the proper tools and processes to help them safeguard personal data in addition to legal definition of what to protect.Companies that act faster will undoubtedly control their liabilities and achieve better customer loyalty through more focused data privacy and protection programs.
Gary Wright is Exavalu’s Privacy Practice Lead. He has served multiple companies over the past four years designing and developing privacy by design practices with concentrations in GDPR, CCPA, GLBA, as well as regulatory taxonomies spanning, HIPAA Privacy Rules, plus privacy laws of Canada and Australia. He has served Exavalu in the development of a Consumer Privacy Application framework that can be applied across varied domains and enterprises. You can reach him at Gary.Wright@Exavalu.com
Exavalu is your strategic partner on high impact Digital transformation relevant for your Industry. We’re a unique Business Advisory & Technology Consulting firm run by seasoned Industry veterans that are former executives, CIOs, CXOs, and Consulting Principals. We deliver meaningful change and sustained value aligned with your desired business outcomes leveraging our Industry experience and Solutions capability.
This publication contains general information only and Exavalu is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Exavalu shall not be responsible for any loss sustained by any person who relies on this publication.