Data privacy compliance in the legal world requires more than just following government regulations.
Organizations must develop solid data security policies and practices to help prevent serious incidents including data security breaches involving customers and employees. Having robust data privacy policies and practices also helps avoid potential lawsuits and regulatory investigations involving data security. It also provides significant reputational benefits if an organization can avoid data security incidents.
With the increasing threat environment, your legal team must know your obligations to protect customer and employee personal data. You must understand the risk of breaching those obligations, and the security measures needed to remedy any deficiencies.
In the U.S. alone, there were 1139 total data breaches with 174,402,528 records exposed in 2017 according to the Identity Theft Resource Center. The total costs to a company are staggering when potential regulatory fines are added to the dollar losses caused by a breach.
Companies handling data outside of the US must also protect against international data breaches-. A Ponemon Institute report finds that 42% of U.S. corporations have not taken steps to prepare themselves for an international data breach.
Deciphering the gamut of US and international privacy laws can be bewildering especially because privacy laws often cover different data sets. For example, the Health Portability and Accountability Act (HIPAA) protects US health data and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) (effective May 25, 2018) broadly protects personal data processing of EU individuals.
Many U.S. legal and compliance departments are not familiar with the intricacies of data privacy laws or how to comply. Moreover, as laws become more numerous and expansive, the risks of penalties for non-compliance increases dramatically.
Europe has taken the lead in data protection and privacy. The overarching GDPR imposes stiff fines on companies for non-compliance such as unlawful processing and disclosures of personal data. Australia’s Privacy Act, Argentina’s Personal Data Protection Law, and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are further examples of countries with comprehensive data protection laws. In the United States, a patchwork of privacy laws exist at the federal and state level based on industry and types of data.
Legal and compliance departments must determine which laws and regulations apply at the state, national, and international level. Where do you begin?
Just how do you fulfill your obligations to your employees and customers? What's needed is an integrated and dedicated system for compliance understanding and adherence:
Having an Overall Compliance Strategy
Many organizations do not have a comprehensive, integrated, measurable, and centralized strategy for achieving data privacy compliance. This is achieved by having a high-level set of principles and documentation defining measures the organization will take with respect to personal data (as defined by applicable laws). All key stakeholders and areas in the organization must be represented.
Compliance Subject Matter Experts (SMEs)
No one can be an expert in the myriad of regulations needing compliance. Assigning and training SMEs to be experts for a specific regulation such as HIPAA or GDPR is one option. This strategy ensures a single source of expertise to develop legally compliant policies and practices. Dedicated SMEs can be the drivers of all compliance documentation in your area.
Inventory and Assessment of Data
Personal data must be identified and tagged when it is collected. and companies must provide a method to track it. This will help you locate and appropriately protect personal data in accordance with legal and recommended standards.
Data Protection Policies and Procedure
A privacy compliant organization provides solid administrative, technical, and physical security safeguards to ensure confidentiality, integrity, and availability of data. This includes the effective ability to detect and prevent unauthorized or inappropriate access to data. Information security must constantly be assessed, monitored, and updated to meet new threats. Data sharing must also have a strict set of controls and policies.
Response Strategy and Plan
No system is perfect despite full adherence to compliance policies. Cyberattacks and data breaches continue to outsmart some of the best systems. The impact of an intrusion can be mitigated through an effective data breach response plan and escalation process. Employees responsible for breach response should be trained on these plans and the use of escalation channels. The corrective actions in the response plan must be implemented and documented as proactive preventive measures against a repeat incident.
Documentation
Compliance plans and processes should be properly documented. A variety of content management systems are available such as Microsoft SharePoint, OneDrive for Business, and others to house and track all documents, reports, and records. An employee dedicated to manage document security and compliance is ideal.
Proof of Compliance
It's not just enough to know you are data privacy compliant. You must be ready to present your conformance for external or internal inquiries. Compliance should be clearly verifiable & readily accessible through reports and documentation. Your organization should have a process for reporting non-compliance as well as a clearly defined escalation path. Continual adherence to confidentiality principles should be verified through appropriate monitoring, auditing, and use of controls.
Whole new dimensions of the technology and business landscape are emerging that will compound the issues involved in protecting personal data. Big data and its huge datasets will pose problems for controls and management. International data transfers have increased exponentially and will require new security measures in networks and Internet infrastructure. On the legal and regulatory horizon, tighter consent requirements are emerging. Individuals will have increased control over what and how personal data is used. The emergence of the GDPR has left many U.S. companies scrambling to understand how the regulation applies to them and what new technologies they need to be compliant.
Protections and challenges revolving around the use of private information will only increase in 2018 and beyond. By fully understanding the legal landscape affecting personal data and adopting a comprehensive compliance system to conform with it, your legal team can thoroughly meet its data privacy obligations.