Editor’s Note: WRAL TechWire is launching a 5-part series on data privacy law to shed light on one of the fastest growing and most complex areas of technology law. Steve Britt, Cyber, Data Privacy and Technology Advisor (CIPP/E, CIPM), Parker Poe and Sarah Hutchins, Cyber, Data Privacy and Technology Partner (CIPP/US), Parker Poe
RALEIGH- Updates in data privacy are incredibly fast and it is an ever-expanding legal area. The business community needs to pay attention to current developments and review current information about where these laws came from, where they are headed, and what businesses need to do to prepare for these changes.
To make sure we’re all on the same page, let’s start by defining a few key terms. first Cybersecurity o Data security is about protecting the data and information systems in which they live from hacking, loss, or unauthorized use. Data loss can come from spear-phishing, ransomware, business email compromise, or just a missing laptop.
data privacy, on the other hand, is about honoring the privacy rights granted by law to natural persons whose data is collected, used and maintained by a company. The distinction between data security and data privacy is reflected in the slogan: “You can have data security without data privacy, but you can’t have data privacy without data security.” This is because all data privacy laws require data to be protected from loss. You can have the most secure operations in the world, and never lose a single record, and still eliminate data privacy by not complying with these new laws.
Related Coverage: FTC Crackdown
Data crackdown looms: FTC launches effort to protect consumer privacy
Another way to think of this distinction is that data security is primarily a technical set of protections involving network scans, access controls, detection of unpatched software, and installation of multi-factor authentication to meet non-technical requirements such as training. regular employees. .
Data privacy requirements vary by jurisdiction, but generally consider what specific personal information is collected, why it is collected, with whom it is shared, and how you can control how your data is used. And the definition of personal information It can also vary by jurisdiction, but it is much broader than most realize, typically including device data, location data, browser history, user preferences, and purchase history.
Complying with these regimens presents several unique challenges. For example, the company must be able to locate, tag, track, retrieve, and potentially delete individual user records across the company. You should establish new business processes to handle data subject rights requests in a timely and non-discriminatory manner, after first verifying that the requester is entitled to make the request.
These laws also require the company to train its employees, update its policies, and keep accurate records of all its data management activities for potential audits and investigations. Failure to comply can result in large fines, damage to business reputation, injunctions, and lawsuits.
Related Coverage: New Cyber Alliance Led by IBM, Amazon, JupiterOne
IBM, Amazon, JupiterOther tech companies form alliance to counter cyberthreats
In this series, we will try to demystify data privacy so that the administration can accurately analyze the risks these laws present, both now and in the future, in order to plan reasonable, affordable, and achievable solutions.
One more note: it’s important not to think too much about data privacy, as you don’t have a clearly defined swimming lane. Companies should not try to navigate through perceived exceptions or loopholes in particular statutes at one point in time, as this will only set back their broader goals, as trends in data protection are clear and irreversible.
Data privacy should be seen for what it is: just one element of a strong data management program. This requires a reorientation of the entire business towards data privacy, without losing focus on data security.
It should also be recognized that many data issues are expanding and merging. For example, data security requirements are being incorporated into data breach notification laws, stand-alone biometrics laws, artificial intelligence laws, and Internet of Things laws. When regulators investigate a data breach, you can expect them to review data privacy compliance as well.
By starting now, a business can set a deliberate pace toward a comprehensive data stewardship program that will allow it to show a good faith effort toward compliance should a data breach or other regulatory event occur down the road. That will be your best defense against this growing array of new legal risks.
About the authors
Steve Britt, CIPP/E, CIPM, is a cyber, data privacy and technology attorney at the Parker Poe Law Firm. He focuses his practice on cybersecurity and data privacy laws and regulations. Britt advises clients on the full range of data protection laws. You can reach him at email@example.com.
Sarah HutchinsCIPP/USA, is a cyber, data privacy, and technology attorney at the Parker Poe Law Firm. She helps clients navigate business litigation, government investigations, and data privacy and cybersecurity. Hutchins can be reached at firstname.lastname@example.org.