Data Privacy for Your Organization: Don’t Miss the Subtleties!

Do you have to worry about Privacy Laws?

Organizations have focused on shoring up their security posture for the past ten or more years, primarily stemming from phishing attacks that result in an organization being held hostage for ransom while they were trying to protect their data—in most cases, unprotected to a large extent.The organizations hired a cadre of professionals specializing in intrusion detection and prevention and building a fortress around the organization while ensuring the business continues to function.

Over the past recent years, there has been a new focus on protecting the data that originates from a company's consumers or customers.Social networks have become a bastion of places to drive business to an organization by capturing and profiling a consumer based on perceived activity across multiple company websites.Car manufactures, for example can glean what type of car a consumer is interested in and drive ad banners across multiple platforms to drive an ultimate sale for the particular car or truck.Food manufacturers collect interest information and subsequently drive ads that drive a consumer to buy that product.All this activity is happening in milliseconds, not to mention millions of dollars spent every minute to drive a consumer to buy more.

Unfortunately, all this activity has been happening without the consumer even knowing it's happening until the past few years.Facebook and Google for example have come under closer scrutiny by governments to protect the privacy of consumers.Laws have either been passed or are being considered by states or local jurisdictions to stem the tide of consumers data being used willy-nilly.

The European Union wrote standards and guidelines as far back as 1995 to encourage companies to respect the privacy of their consumers.  Companies seemed to virtually ignore the standards, so the EU drafted and passed the General Data Protection Regulation (GDPR) which became the force of law in May of 2018.

The State of California followed by a ballot initiative the same year which was quickly written into law virtually overnight by the California Legislature and signed into law in June 2018 by then Governor Brown to have the force of law this past January 1, 2020.

Consider the following chart maintained, published and updated monthly by the International Association of Privacy Professionals (IAPP).

Canada, Australia and several other countries adopted new privacy laws as well requiring companies to protect their consumers privacy and most importantly their data.

Deciding if and how your organization must comply?

How does a company decide whether a privacy law is applicable?

Here are some early steps to consider.

• 1. First determine if your company qualifies for a particular privacy law by the annual revenue and number of consumers.
• 2. If the company matches the revenue and number of consumers, then determine how many consumers are in a geographical area that has a law passed or is considering a law.
• 3. If one and two are in play, then determine if your company collects a consumer’s personal data or personal information based on the particular privacy law definition.
• 4. Conduct an inventory of your consumers and your consumers data.
• 5. Determine if there are any elements of data on your consumers that may be exempt from the respective privacy law provisions.
• 6. If all the above seem to prevail begin the process of conducting privacy impact assessments and data mapping exercises that are needed to construct a consumer request process based on the rights of the prevailing law.
• 7. Design, build and deliver a mechanism for consumers to request their rights under the prevailing privacy law.
• 8. Update your organizations privacy pages and/or notices to reflect the common threads of many of the privacy laws, i.e., what data categories are collected and what the data is used for. Don't forget how the organization protects the underlying data from bad actors.
• 9. Consult with the organizations legal counsel as a governing provision for all the above steps.

Caution : Just because the consumer or the accompanying data is exempt doesn't preclude your company from protecting that data from breach by applying encryption or obfuscation that prevent bad actors from exfiltrating the data and holding your company hostage.

Determine if your company meets the provisions of a privacy law by annual revenue and number of consumers.

Your organization should consider the following examples of when a company must comply with a particular privacy law:

• 1. GDPR – Companies with less than 250 employees are typically not required to keep records of their processing activities unless it's a regular activity, concerns sensitive information or the data could threaten individual's rights regardless of revenue.
• 2. CCPA – if one of the following thresholds apply; annual gross revenue of $25 million; annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices, or derive 50 percent or more of its annual revenues from selling consumers personal information. The respective privacy laws can also help understand if the specific situations should apply.

What is your company’s demographics for consumers in a particular geographic area?

• 1. Determine first what a data subject or consumer is for a privacy law, for example:
  • a. GDPR – defined as an identified or identifiable natural person. There is no restriction on their nationality or place of residence, however, so a data subject can be from anywhere in the world. Equally, however, a data subject must be a person; a corporation or other entity cannot be a data subject.
  • b. CCPA – A consumer is defined as a natural person residing in the United States and a California resident. Section 17014 of Title 18 of the California Code of Regulations provides a detailed explanation of a California Resident.
• 2. Determine if business is conducted in the geography that applies to the respective privacy law. Generally, if your company has personal data or personal information as defined by the privacy law, most likely your organization will have to comply.
• 3. Classify consumers by geography and subsequently by what privacy law applies.

Determine what elements of personal data may be exempt from the respective privacy law.

• 1. Each privacy law may have an exemption that precludes data covered by other privacy laws, for example, CCPA precludes data covered by GLBA, HIPAA, California Financial Privacy Act, to name a few. However, each of the respective privacy laws excluded have consumer privacy rights provisions that must be protected. Exclusion from one law doesn't imply exclusion from the respective law consumer privacy rights.
• 2. CCPA includes the following specific excludes from requiring an organization from deleting data:
  • a. Data that is needed to complete a transaction or requested by an existing consumer be excluded from a deletion request;
  • b. Data needed to protect an organization from a security risk, fraud or illegal activity is also exempt from a deletion request;
  • c. Data needed to identify and repair a system problem (fix bugs) may be kept, but should be obfuscated;
  • d. Data required to execute a warrant to obtain information in an emergency;
  • e. Data used to engage in scientific, historical, or statistical research in the public interest, not solely for company research;
  • f. Data used for internal use only in a way the consumer expected;
  • g. Legal holds, required to comply with legal obligations or applicable laws; or
  • h. Data used for internal use only in a way the consumer expected.

Do you know the respective rights under the appropriate privacy law?

Each organization should have a good understanding of Consumer Rights pertaining to a particular privacy law before conducting privacy impact assessments and data mapping exercises. Consider the following infographic from the GDPR Awareness Coalition for a basic understanding of consumer rights pertaining to GDPR. They made an infographic which summarizes some essential data subject rights, in this case called consumer rights in the infographic.

GDPR Consumer Rights – or some data subject rights such as the right to access, data portability, rectification, erasure and more from a consumer view by the GDPR Awareness Coalition.

The Gramm–Leac–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, affect consumers in many ways:

• Financial institutions are required to ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
• The law requires these institutions to explain how they use and share your personal information. The law also allows you to stop or "opt out" of certain information sharing.
• The law requires that financial institutions describe how they will protect the confidentiality and security of your information.

The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, was passed in June 2018 and has taken effect starting with 2020, now affects consumers and companies many ways. It provides the California consumers with certain rights including:

• Right to know what personal information is being collected;
• Right to access their personal information;
• Right to request deletion of personal information collected with exceptions;
• Right to know if personal information is sold or disclosed and to whom;
• Right to say No to the sale of personal information; and
• Right to equal service and price.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted during the Bill Clinton Presidency in 1996. It gave patients many rights, which were previously unknown to them regarding their healthcare data and the ability to own and transfer their data to other medical professionals on request. It further allowed then with the following:

• Consumer (Patients) have the right to require a covered entity to de-identify or remove all identifiers specified by federal regulations, including any "unique identifying number, characteristic, or code with respect to the use or disclosure of their data.
• To have their personally identifiable information protected from breach through various safeguards.

Design and build a Consumer Privacy Application

There are several factors to consider before purchasing or building a sophisticated application to service consumer rights for your organization.

• 1. How many consumers are expected to request their rights under a privacy law?
  • a. If your organization expects less than fifty requests per month, perhaps a simple login mechanism and a web form are all you need to service requests. Factors to consider; use a simple database or excel spreadsheet, setup a common mailbox where the web form delivers requests.
  • b. If your organization expects more than fifty requests per month, consider a more robust consumer privacy application built to fit the needs of your organization. Your organization may have application elements already in the enterprise stack that could compose the consumer privacy application.
• 2. What privacy laws do you expect will have consumers requesting their rights?
• 3. Do you already have applications in your enterprise stack to construct a consumer privacy application?
• 4. Categorize and classify your data. If your organization hasn't adapted a Master Data Management (MDM) solution yet, then this is an excellent time to do so. One crucial key to a successful CPA is finding the data quickly for a consumer. A good MDM will make that process more efficient.

There are several companies that have the experience and technical ability to help your organization build the right consumer privacy application.

Ensure the organization has adequate security controls applied to applications

Most privacy laws have provisions that require organizations apply adequate security controls that are designed to thwart bad actors attempts at ransomware attacks. Here are some of the minimum adequate security controls.

• Classify data with standard data classification., including Public, Private, Confidential and Restricted.
• Ensure data is encrypted at rest and in transit.
• Encrypt backups.
• Establish data retention policies with recommended default settings to keep data only as long as it is active or needed and no longer than a set period following inactivity based statutory laws. Remember, data kept is data that can be stolen.
• Ensure there are adequate backups in a disaster recover schema.

Following these simple steps will prepare your organization for compliance with privacy laws. With a will designed consumer privacy application, your organization is ready for a good privacy by design.

In Conclusion

For many companies, data privacy will not be a new system that merely tracks interactions with customers, members, subscribers and alike, and reports back to them on the personal data a company has in its possession. Rather, it is a new shift in understanding what companies do with the personal data they have accumulated over many years. It is becoming evident that more does not always mean better or vice versa. The data privacy is a cultural change for many companies. It is here to stay. The legislations around the world will only get more focused and restrictive. The current controls or data retention policies in many companies do not properly and adequately enable employees with the proper tools and processes to help them safeguard personal data in addition to legal definition of what to protect.Companies that act faster will undoubtedly control their liabilities and achieve better customer loyalty through more focused data privacy and protection programs.

About the Author:

Gary Wright is Exavalu’s Privacy Practice Lead. He has served multiple companies over the past four years designing and developing privacy by design practices with concentrations in GDPR, CCPA, GLBA, as well as regulatory taxonomies spanning, HIPAA Privacy Rules, plus privacy laws of Canada and Australia. He has served Exavalu in the development of a Consumer Privacy Application framework that can be applied across varied domains and enterprises. You can reach him at Gary.Wright@Exavalu.com