In May 2018, the European Union released an expansive and comprehensive data privacy law known as the General Data Protection Regulation, or GDPR.
Since then, the state of California passed a substantively different privacy act, leaving many business leaders confused about conflicting regulations, guessing about extraterritorial jurisdictions, and uncertain about whether the United States will pass a federal data privacy law that may obviate them all.
Business leaders who operate multinational corporations are seemingly left in a bind. They face a quandary about what data is subject to which regulation and when.
U.S. laws such as the Health Insurance Portability and Accountability Act, known as HIPAA, and the Children’s Online Privacy Protection Act, or COPPA, when layered onto state- or country-specific regulations, create a sea of compliance issues to navigate and a jungle of incompatible requirements to untangle, further challenging business leaders. For such reasons, data privacy is seldom a pleasant conversation topic.
So why should companies dedicate precious time, personnel, and resources toward data privacy compliance?
Beside the legal obligations, it’s in the financial and reputational interests of companies to evaluate and address privacy concerns today rather than deal with the blowback of incompliance tomorrow.
Further, data privacy is a fundamental right that is proliferating. Through the GDPR and the California Consumer Privacy Act of 2018 (CCPA), both the EU and the state of California assert that consumers have the right to data privacy—the ability to control their data with certain reasonable exceptions. The right to data privacy is indelible.
GDPR and CCPA are two of the newest laws that affect many U.S.-based companies. And although the laws are different in scope and intent, business leaders can be assured that there are some similarities between them that can serve as a starting point for compliance.
What data does the company collect?
Business leaders must know what data their company collects and from whom they’re collecting it. The type and origin of data, in turn, largely determines data requirements and is a best starting point for compliance.
Of the data a company collects, leadership should determine and codify which data it can associate with specific consumers—and classify it as personally identifiable information (PII). Each regulation outlines types of data, standards, and caveats for PII, but as a general rule, if a business can associate data directly to a consumer, that data may be subject to data privacy regulations.
One best practice for managing consumer data is to collect the least amount of data necessary to achieve an immediate and intended outcome. This “minimalization” strategy may reduce exposure, storage requirements, and the cost of IT infrastructure. It also forces business leaders to think intentionally about data usage and solution design prior to collecting it: We collect this data from these consumers for that outcome. In short, it encourages responsible data collection and use.
How does the company store and process consumer data?
Knowing the type and origin of data is only half the challenge. The other half is understanding where the company stores it and the implications of each data set for business operations. This is typically achieved by mapping data by database down to the attribute level, ranking data elements by priority, and categorizing each with corresponding business outcomes.
When possible, business leaders should seek to de-identify data through pseudonymization to protect consumer data and reduce exposure in the event of a breach. Companies should also recognize that data stored in different countries may be subject to data localization laws not specified in GDPR or CCPA.
Joint controllers, third parties, and processors are all names for entities a company shares consumer data with or allows access to. As GDPR stipulates, all parties that process consumer data must jointly determine and formally record their responsibilities for data compliance practices and make the agreements public, possibly in each company’s terms of use agreement.
Does the company allow consumers control of their data?
Providing consumers “rights” will likely be a new requirement for most companies, but one that business leaders ought to become increasingly familiar with. GDPR and CCPA both outline rights that empower consumers with functionality to control the use of their data.
Even though some of the specified rights aren’t consistent in name or function, there are several similarities. Companies, however, must balance consumers’ rights to control their data with the intended user experience. Too much control could be onerous and detract from their product experience.
Is the company transparent about its practices?
Companies should strive to provide reasonable details about their data processing practices, allowing consumers to make more informed decisions about their personal information. This is what GDPR calls the “right to be informed” and CCPA labels as the “right to know.”
To fulfill this right, business and legal teams must work together to document the items outlined in the previous steps, then determine what level of detail to disclose to consumers. Too little information is uninformative; too much can confuse consumers.
Being transparent means communicating about data processing practices with clear and plain language. Gone should be the days of legalese printed in 4-point type and packed into obscure or generic statements. Business leaders should also establish a regular cadence with privacy teams to reevaluate whether updates to consumer-facing statements are required, so all policies remain consistent with actual business practices.
Finally, GDPR compliance doesn’t equate to CCPA compliance. Because many companies are obligated to comply with both, and because portions of each law seemingly conflict, business leaders are turning to trusted legal and business advisors to navigate data privacy challenges to take their first steps toward compliance.
