Out of everything that was said during 360 Advanced’s privacy webinar held this April, perhaps most important is the realization that privacy regulation is not going away.
“Privacy 101: Regulations, Risk, and Compliance,” was moderated by 360 Advanced’s Sr. Sales Executive, Carlos Guerrero, Sr. Practice Director, Brad Lyons, and David Ross, CEO at 1bigthink, a cybersecurity firm.
In light of Gartner’s report that 65% of the world’s population will have its personal data covered under modern privacy regulations, the discussion began with more predictions:
- U.S. federal legislation, though desired, remains a long shot.
- The global wave swells.
- Ad industry self-policing will become more stringent.
- Tech companies will continue rolling out draconian policies.
- Employees will become more concerned with their privacy.
“One thing that’s taken a lot of companies by surprise, in the U.S. particularly, is this idea that employees are becoming more and more concerned about their privacy rights and what you’re doing with the data you’re collecting on them,” Ross said.
Modern Privacy Regulations
The discussion veered toward elements of modern privacy regulations, including privacy principles, transparency, and data subject rights.
Guerrero pointed out that he’s noticing there’s an uptick in businesses that are finding privacy regulations more and more top of mind. But they have questions.
“One of the questions [clients] ask us is, ‘We have a lot of data, but what’s considered privacy-related data?’” Guerrero said.
Ross replied that privacy-related data is data that can identify a person, such as PII, personal identifiable information or PHI, protected health information.
“If I had someone’s first name, and I accidentally spilled that, that impact would probably be pretty minimal to that individual,” Ross said. “But if I had their name, the location of their house, their Social Security number, their income, their HIV status, and that was spilled, that would be a much higher impact.”
As a privacy guiding principle, Ross said, whatever controls are in place should align with whatever the impact is.
US and International Outlook on Data Privacy
The team discussed the outlook of international and U.S. privacy regulations, and some changes coming into effect, such as:
UK—could be breaking with GDPR
Japan—improved privacy controls
Australia—modernization of the 1988 regulation
In the U.S., 25 states have proposed regulation, and California, Colorado, and Utah are all facing deadlines:
California—California Consumer Privacy Act, establishes new consumer privacy rights and expands liability for consumer data breaches. Deadline 1/1/23
Colorado—CPA, increases the protection of consumers’ data. Deadline 8/1/23
Utah—UPCA, increases the protection of consumers’ data. Deadline 12/31/23
Lyons said that, while regulations are designed to help companies, it gets tricky because there’s no universal standard, especially in the U.S.
“You’ve got all of these individual states with all their requirements, so there’s a lot of complexities to this,” he said. “The underlying intent is to level the playing ground and make sure that everybody’s doing things the right way.”
The problem, Lyons said, is that businesses want to do things the right way, but they might not always know what the right way is.
The best solution, Ross said, is a privacy program, which is overseen by a qualified assessor, either internally or externally, just as long as the governance is there.
“People really are going to start holding businesses and their management teams accountable for the misuse of their personal data,” Ross said. “I think that’s something that is truly not been felt in the U.S. before now.”
A solution for navigating through the process is to work with an expert on privacy regulations, he said. A privacy expert offers reassurance that things are proceeding correctly, and they’re available to provide guidance along the way.
“The key takeaway,” Ross said, “is these regulations are here to stay. They’re not going to go away. What I don’t want you to do is play whack-a-mole with them.”