The topic of data privacy and security is in the mainstream media and people begin to realize the value of their personal data.
Yeah, it’s happening like in the movies. Anyone who has watched “Terms and Conditions May Apply” and “The Great Hack” know what we’re talking about.
If you’re still not convinced, look at how hyper segmentation on advertising campaigns are arriving at your cell phone immediately after you show interest on a specific subject.
There is even a debate over the extent to which it has influenced presidential elections.
1. What is your data for? What can you do with it?
- Hyper Segmented Digital Marketing
- Industrial espionage
- Identity theft
- Credit card cloning
- Ransonware, phising (demand a rescue pay to return your data)
- Buying cell lines to perform illegal activities involving you
- Open checking accounts in your name to launder money
- Basis for target identification and planning for physical hijackings
- Requesting false health insurance reimbursements on your behalf
Ginni Rometry, CEO at IBM from 2012 until April 2020, knows exactly what is going on and has spoken about it a few times:
“Data is the natural phenomenon of our time. It is the new natural resource in the world. It is the basis of competitive advantage and is transforming all professions and industries. If all of this is true, then cyber crime is the biggest threat to every industry and every business in the world. ”
2. Is technology a problem then?
The problem is definitely not technology. Our problem is changes in our society as a whole.
As technology accelerates everything, so it is doing with crime.
According to Statista, the global cybersecurity market is predicted to grow from $167.1B in 2019 to $248.26B by 2023, attaining a 10.4% CAGR.
Hence the need for a more robust regulatory environment, with important and updated definitions, which accompany the environment of constant technological innovations.
The privacy of sensitive personal data and anonymization, focused on the individual, must be respected with regards to the final customer and also the business environment.
3. Does the law apply to my business?
GDPR applies to entities that collect, store or process data from natural persons located in the EU, regardless of nationality and being resident in the EU.
The CCPA applies to businesses that collect personal information from California residents. However, the law does not apply to any company. The CCPA defines business as an entity that:
- Collects personal information from consumers,
- Determines the purpose and means of processing personal information,
- Does business in the State of California, and
- Meets one or more of the next requirements:
- Has annual gross revenue in excess of $ 25 million;
- Alone or together, per year, buys, receives, sells or shares, for commercial purposes, personal data of 50,000 or more California residents, properties or appliances;
- Earns 50% or more of annual revenue from selling personal data to California residents.
4. What are the main obligations imposed by the GDPR and CCPA?
- Report affected holder and authorities about leaks
- Strict, free, clear, unambiguous consent of the uses for any specific purposes
- Appointment of a DPO (“Data Protection Officer” or someone in charge of the treatment of personal data”)
- Specific requirements on data transfer, portability and forgetfulness
- Conduct a pre-project DPIA, Data protection impact assessment (GDPR official website template of how to conduct a DPIA)
GDPR: Administrative fines of 10 to 20 million euros or 2 to 4% of the entity’s global annual revenue, whichever is greater.
CCPA: the maximum penalty of the CCPA is $7,500 and is reserved for only intentional violations of the CCPA. Other violations lacking intent are going to remain subject to the preset $2,500 maximum fine.
GDPR: effective since May 2018
CCPA: effective since Jan 2020
- See your customers
- Know your customer
- Respect your customer
As those are conceptual pillars, getting to know each regulation in detail would demand a deeper study of both regulations.
But their procedures, in summary, seem to be very similar:
Firstly, they receive communications about the occurrence of any security incident that may cause significant risk or loss to data subjects (data breach notification).
Then, there’s an investigation, with established preparatory procedures, including public civil inquiry and administrative procedure if applicable.
Also, after the investigation, an action of sanctioning based on proposed lawsuits might occur.
5. Benefits of GDPR, CCPA and other data privacy and security regulations
- Safer online and physical environment, with minimized risks
- Avoidance of fines
- Better sleep for individuals
- Much better sleep for executives, as information security has been a big cause of preoccupation for high administration members and other businesses representatives for years
6. Six steps to hold virtual events that comply with the latest data privacy and security regulations
1. Work to get the right sponsors
This is a matter to be treated with the high administration: senior management, board of directors and/or advisory committees.
- First line of defense: a strong IT department.
- Second line of defense: proper risk analyses and legal compliance.
- Third line of defense: internal audit, including the choice of suppliers that have this preoccupation as a top priority.
2. Perform a detailed diagnosis to define the scope of what needs to be done to comply with the legislation.
- Map information that needs to be protected, areas, systems, environments, platforms and professionals that need to be involved.
- Identify policies that need to be created or existing ones that need to be updated.
- Identify documents that need to be reviewed, like consent terms.
3. Appoint a DPO (Data Protection Officer) with the following main duties:
- Coordinating data protection efforts across all departments involved.
- Participating in projects to ensure privacy by design since the very first project scratch.
- Conduct and monitor a DPIA.
- Promote awareness as a best data protection practice
- Insert data protection on the organization’s agenda until the subject is part of the culture
- Be the touch point with regulatory authorities
4. Establish policies
- Classify information (public, restricted, sensitive, confidential or critical)
- Communicate frequently with authorities (particularly important in case of leaks)
- Implement robust information security program, including periodic monitoring and testing
- Test vulnerability and data encryption on the internal network regularly
- Make employees and stakeholders aware
5. Data privacy and security needs a professional approach
Above all, consent must be provided in writing or by any other means that demonstrates the effective manifestation of the holder’s will, in a detached clause of the other contractual terms.
Firstly, if this consent is changed from its initial purposes, a new consent must be obtained from the holder the consent can be revoked .
In addition, it’s also good to remember that consent models have distinctions.
Opt-in marketing or commercial messages, for instance, are only sent to those who express their prior and explicit consent to receive them.
6. Information security culture, engagement, communication and training
A legal or physical controller that collects personal data and makes all decisions regarding the form and purpose of data processing is commonly found in the figure of a DPO or CTO.
Moreover, this DPO (Data Protection Officer), will be the bridge between the shareholders, public authorities and the operational IT team.
They’ll also responsible to guide employees that are out of the data processing practices, promoting a clear and objective data protection culture.
Thus, processing any operation performed with personal data, such as collection, use, processing, storage and disposal, needs to have the supervision of a data specialist.
Keep learning! Take advantage of our free and always updated resources: