Data privacy is important regardless of industry, whether you’re in healthcare, financial services or manufacturing.
Due to the rapid acceleration of data gathering and storage in the past decades, new data concerns for both users and owners of data are more prevalent now than before.
This leads to the questions: What is data privacy, and do I need to be concerned about it?
What is data privacy?
At its core, data privacy is the consideration of a company’s use of personally identifiable information (PII), including the organization’s responsibilities over that data, how it was obtained, on what and who it was collected about, how it is stored and secured, and how it is disposed of.
This holistic view of an organization’s data ecosystem requires a robust approach to consider and implement a data privacy program effectively.
Why does data privacy matter?
Data privacy concerns are partly driven by regulatory requirements. A company must abide by these regulations to avoid paying fines and penalties for noncompliance. These penalties can vary but are consistently steep. For example, the cost of noncompliance for the California Consumer Protection Act (CCPA) is $2,500 per violation, and $7,500 if the violation is proved intentional. Keep in mind this is per violation, so a company would be liable for $25,000 if 100 users’ data was compromised.
The fines for violating General Data Protection Regulation (GDPR) are steeper, and on the lower end can cost 2% of a company’s prior year annual revenue or €10 million, whichever is higher. In 2019, Google was fined €50 million, the biggest fine to date.
Regulatory requirements are growing
When GDPR was passed in the European Union in 2016, the conversation on data privacy took center stage. The law requires companies doing business within EU member states to abide by a set of data protection standards with the aim of protecting an individual’s data and simplifying data regulations. The passage of this law prompted states in the U.S. to begin considering similar regulations.
While there is not a unified federal data privacy law passed yet in the U.S., there is a patchwork of state laws already in effect that may impact your organization. This includes the well-known CCPA and New York Privacy Act, which both build upon and expand the framework laid out by the GDPR. Other states — such as Virginia, Nevada and Vermont — are moving to pass their own versions of these laws in 2021.
With the increasing number of states moving to pass these types of laws, and the clear risks of not abiding by them, now is the time to begin understanding whether these laws will apply to and impact your business.
What can you do now?
Organizations can take several steps today to prepare themselves for upcoming compliance with data privacy laws:
- Perform a data inventory to determine what types of data is used and how they are stored. Determine if there are legal requirements around this data, such as retention and storage.
- Create a data flow diagram to understand how data is being transferred and where it resides within your organization. Use this exercise to ensure there are adequate data security controls at each stage.
- Review and test incident response procedures. Key capabilities for data privacy include detecting the misuse of data, containing the incident and notifying the appropriate parties.
Need help understanding data privacy’s impact on your organization?
If you have questions on or need assistance with understanding the impacts of data privacy on your organization, contact Wipfli.
Sign up to receive additional information security content and information in your inbox, or continue reading on: