This post covers the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), as well as fees for data breaches, changes in privacy attitudes, and the future of the standards.
This post covers the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), as well as fees for data breaches, changes in privacy attitudes, and the future of the standards.
GDPR was implemented in May 2018 and was designed to harmonize data privacy laws across Europe and to protect and empower all EU citizens’ data and reshape the way organizations across the region approach data privacy.
Before GDPR, different countries were doing slightly different things across the EU. GDPR is meant to unite them under one rule. It also gives control back to the data subjects and insists that the data processors and controllers be more vigilant with the way they handle personally identifiable information (PII).
In an effort to engage and incentivize businesses to meet GDPR requirements, governing bodies–including the Information Commissioner's Office (ICO) in the UK– have implemented steep, tiered fines. These are the most stringent fines we’ve seen yet, as regulators want businesses to take this seriously.
If a data breach occurs, supervisory authorities–like the ICO–will take into account the gravity and nature of the breach as well as how many people were impacted. They will look for evidence that a business tried to prevent a data breach–could it have been avoided? Was there regular training?
They will look at the history of a business: is this the first data breach? Does the company have a history of breaches or an overall lack of data security? How cooperative are they in taking steps to correct and address the issues that caused the breach? Did the business take proper steps to notify customers once they became away of the breach?
Google has paid multiple fines, including a $57 million fine from France for not making it clear on how Google processes information of Android users as well as a $44 million fine for a lack of transparency regarding ad personalization.
Facebook was recently hit with $2.2 billion in fines for storing passwords insecurely.
In another case British Airways paid $230 million in fines for a 2018 data breach. The incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said.
Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience."
"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Privacy is a fundamental right. That’s how it’s viewed in the EU, that’s how data subjects view it as well. As we shift to this kind of thinking, we will explore how this is moving across the globe.
CCPA stands for California Consumer Privacy Act. CCPA was enacted to protect the information of California residents. Like other privacy laws, CCPA includes some basic tenets of data protection as well as provisions to notify data subjects about the uses of their data, like who is going to see their data and when.
Specifically, CCPA gives California residents rights concerning personal data and outlines the related responsibilities of certain businesses in California.
The laws within the CCPA may each have significant impact on those businesses located in or outside of California that collect or process the personal data of California residents.
The CCPA applies to any for-profit entity doing business in California–or with California residents’ data–that either has a gross revenue greater than $25 million, or that collects/processes the personal data of more than 50,000 consumers for commercial uses.
The bulk of CCPA compliance will consist of policies and processes in place for when consumers want to exercise their rights. For example, businesses must have a “do not sell my personal data” link on their homepage. And if there’s a request to exercise a right, the business must comply within 45 days.
The areas that businesses will likely need to spend resources on include:
If the Attorney General of California cites a business with failure to comply with CCPA, a route of action will be created, and the business will have 30 days to “cure” any violations. Consumers who have been harmed by a company’s noncompliance with CCPA may seek $100 to $750 per incident. If noncompliance continues, penalties are $2500 per violation or $7500 per intentional violation, and there is no ceiling to CCPA damages.
If noncompliance continues, penalties are $2500 to $7500 per intentional violation, and there is no ceiling to CCPA damages.
So far, there haven’t been many widely discussed fines, since CCPA enforcement came with a six month grace period (which went through June 2020). But, we predict that CCPA fines will soon become more publicized.
Steve Jobs said, “Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.”
We’ve seen a lot of progress in the last couple of years in regards to data privacy and data security. Transparency is key. People want confidence in how their personal information is being handled. More so now than ever; we are asked to share so much electronically. Sharing our data might make our lives easier, or help us get things done faster.
We also want to be in control of our personal information. We want to know what personal information a business has of ours, why they need it, and what they’re going to do with it. We need to be assured that if we want our personal information removed, it will be–and that it will be done in a reasonable time frame.
We are seeing an increase in the amount of privacy legislation around the world.
More than 60 jurisdictions have enacted or proposed postmodern privacy and data protection laws, since the introduction of the GDPR in 2018. These include Argentina, Australia, Brazil, Egypt, India, Indonesia, Japan, Kenya, Mexico, Nigeria, Panama, the U.S., Singapore and Thailand.
Gartner estimates that by 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today.
These principles were determined by the ICO, and can serve as general guidelines when thinking about protecting data in a practical way.
These are the top areas you can focus on now at your business to help protect data and prevent a data breach:
GDPR mandates that reasonable security and privacy measures are in place. CCPA itself does not specifically outline such preventative measures, but they are implied. Here are some best practices along with resources to get you started:
Your main objective is to have a plan and to execute against that plan. When there are changes, pivot and adjust as needed. Monitoring changes and adjusting your security practices for them is key to your success in protecting data and preventing breaches.
.svg)
