Data privacy is an increasing global concern, and governments are cracking down on how businesses manage personal data. As data privacy laws become more widespread—and more strict—you may wonder about their impact on your business. And for good reason. Investigations into non-compliant companies can quickly turn into devastating class-action lawsuits for businesses who leave consumer data exposed.
So how is your business impacted by new regulatory standards? And how can you better protect your customers’ data? Understanding the law and ensuring your data privacy practices are up-to-date will keep your business compliant and your customer data secure.
Major data privacy laws include the GDPR and the CCPA.
Here’s a quick look at two major data privacy laws to be aware of right now.
General Data Protection Regulation (GDPR)–effective May 25, 2018
The General Data Protection Regulation, or GDPR, makes data protection laws consistent within the EU and outlines new regulations for handling personally identifiable information (PII). The GDPR not only applies to organizations located within the EU, but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
In other words, the GDPR applies to all companies that process and hold the personal data of anyone who resides in the European Union, regardless of whether the company is in Europe.
The California Consumer Privacy Act (CCPA)–effective January 1, 2020
The California Consumer Privacy Act, or CCPA, gives California citizens the right to know what information is collected and if the business is allowed to sell and/or share that data. Businesses that fail to uphold CCPA standards could be fined up to $2500 per violation by the California Attorney General. The CCPA is one of the toughest privacy laws in the country and is sure to influence future legislation around the world.
More data privacy laws are just around the corner.
Beyond these blockbuster regulations, there are many other data privacy laws in place throughout the world. And in the U.S., the number of states with data security laws has doubled since 2016, reflecting growing concerns about computer crimes and breaches of personal information. Take a look at the difference just three years can make:
And there are more laws to come. For example, Senator Marco Rubio (R-Fla.) introduced a new federal bill in October 2018 designed to provide national data privacy legislation. Apple CEO Tim Cook recently proposed a U.S. privacy law similar to the GDPR. Meanwhile, Microsoft CEO Satya Nadella has stated that privacy is a “human right” while calling for “global GDPR.”
Non-compliance could cost you big.
Do you store consumer data? If the answer is yes, then you’re subject to data privacy laws and are accountable for non-compliance fines and penalties. It’s also important to recognize that data privacy laws can vary significantly from one locale to another. Knowing where your data resides will help you know which laws you are subject to.
Before data security laws were the norm, most end-users and executives saw potential fines and penalties as scare tactics. Today we’re seeing real fines, like those associated with the GDPR, impacting companies’ bottom lines.
Taking time to understand how these regulations apply to you could save your business a lot of time and money in the long run.
Identifying data sensitivity is the first major step toward ensuring compliance.
If you store consumer data, you need to understand which data is sensitive and which isn’t. According to Norton Lifelock, personally identifiable information, or PII, is any data that could potentially be used to identify a particular person. Examples include a full name, Social Security number, driver’s license number, bank account number, passport number, and email address (see What is PII? for more detail).
In order to identify PII and other regulated information, you need to conduct an in-depth sensitive identification process. DataONE has put together an excellent, comprehensive list of questions to help with this process, which includes asking things like:
- Can an unauthorized individual use the information to do limited, serious, or severe harm to individuals, assets or an organization’s operations as a result of data disclosure?
- Would unauthorized disclosure or dissemination of elements of the data violate laws, executive orders, or agency regulations (i.e., HIPPA or Privacy laws)?
- Does the data have any integrity concerns?
For the full list and more information on conducting a sensitive identification process, click here. Your company will have different conformities depending on which regulations apply to you.
Several tools are available to help you conduct a thorough sensitive identification process.
Fortunately, there are tools available to help you with your PII and sensitive identification process. Here’s a look at a few to consider.
File and share detection
Data Classification Engine from Varonis (Varonis DCE) is an application that will discover sensitive content located within a file and/or directory, and demonstrate where/how this content is exposed. This works over NAS (Network-Attached Storage) devices, Gdrive (Google Drive) and Microsoft Office 365. Over 60 file types are supported, including: .doc; .xls; .sxc; .vsd; .stc; .csv; .ods; .rtf; .pdf; .ots; .sti; .txt; .xml; .pps; .ppt; .eml; .sub; .rar; .log; .mdb; .sxw; .aacdb; .dwg; .zip; and more. Varonis offers multiple versions including a free version, limited-license versions, and the full version, which includes a 30-day assessment with report and remediation plan.
One Software-as-a Service (SaaS) that’s useful for helping you identify sensitive information is Guardium Analyzer from IBM. Guardium Analyzer helps end-users find regulated data (PII, personal and sensitive personal data), understand the various data/databases exposures, assess imminent risk, and act to address issues while mitigating risk. The free version allows unlimited scans for up to three databases. You can link to the tool here. They offer a standard and professional plan starting at $29 (monthly). Other database scanning applications include Imperva Data Security, Akamai, and Oracle’s Audit Vault.