What Does Your Organization Need to Know?
New questions about privacy arise every day. These are not those questions. Instead, these ten questions cover the data privacy basics your organization should know.
1. What’s the difference between Privacy and Security?
While privacy and security are related, they’re not the same. Data privacy deals with what and how data is collected, used, and stored.
Data privacy aims for transparency and compliance with the consent provided by the person when the data is collected. Information is often collected through employment applications, background checks, customer purchase forms, and more.
New privacy regulations have been introduced to give people more control over their data and how organizations handle it. The most talked about and not so new is EU GDPR.
For example, suppose an organization sells a customer’s data to a third party without the customer’s consent. That could be considered a violation of some US States and other countries’ data privacy laws.
Data security is concerned with protecting an organization’s assets by preventing unauthorized agents from accessing the stored data, systems, and networks. Different regulations (especially for specific industries) often mandate how and when data breaches should be handled and reported.
It’s possible to meet security requirements without considering privacy. However, without adequate security, nothing is private.
2. How do you know which regulations apply to your organization?
This is typically one of the first questions about privacy organizations want to be answered. And it ultimately depends on what data the business collects.
While many may think they are in the clear, it’s easy to overlook employee data such as social security numbers, background checks, or biometric login credentials. Remember, privacy isn’t just for consumers. It protects internal individuals as well.
After you establish your organization collects and stores personal data or personally identifiable information, there are two questions an organization needs to answer:
- What states and countries does the organization conduct business in?
- Is the organization in a highly regulated industry such as financial services, healthcare, or manufacturing?
For Organizations Operating Solely in the U.S.
The US doesn’t have a federal privacy law, and the chances of one passing soon seem unlikely. As of August 2022, there are five states with omnibus data privacy regulations: California, Colorado, Connecticut, Virginia, and Utah.
If you are conducting business in those states, or if you have customers in those states, those laws may apply to your organization. Some regulations have minimum thresholds for company revenue or the number of records collected that need to be met to be enforceable.
While complying with five different state privacy laws may sound daunting, they have commonalities across core privacy principles of individual rights, general obligations, and enforcement.
Additionally, some industries have stringent regulations in place due to the nature of the data, such as healthcare and HIPAA.
The financial services industry is another highly regulated industry due to collecting social security numbers and other personally identifiable information (PII) necessary to conduct business. Financial services include banks, financial apps, investment, and mortgage services.
Insurance and manufacturing are also highly regulated. If your organization operates in any of these industries, it’s likely there are additional data privacy requirements that require your attention.
Lastly, it’s important to consider cybersecurity and breach notification regulations. Even if there aren’t privacy regulations mandated where you conduct business, security regulations may be in place. Always consult with an attorney to be sure.
Across the World
For organizations operating internationally, there are many regulations you’ll need on your company’s radar. The most common include EU’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL).
According to the United Nations Conference on Trade and Development, 137 out of 194 countries have data privacy laws. This includes neighbors of the U.S., Canada and Mexico as well as many others such as Brazil (LGPD), Egypt (PDPL), and Argentina (PDPA).
The more globalized the organization, the harder it is to keep up with every active data privacy and security regulation. Most organizations find manual processes are too time consuming and use automated software to determine which laws apply to their business.
3. Are small businesses affected by privacy regulations?
Privacy regulations in the U.S. typically require a business to meet at least one of the following triggers before it must comply with privacy regulations.
The most common triggers are: to produce a minimum revenue or sell the data of a specific number of consumers, or a minimum amount of revenue generated from the sale of data.
More specifically, the current five State privacy laws each have slightly different triggers.
- California (CCPA) – $25 million in annual revenue, or buy/sell the data of 50,000 consumers/devices/households, or generates 50% of business revenue from selling the data of consumers.
- California (CPRA) – $25 million in annual revenue, or buy/sell/share the data of 100,000 consumers/households, or generates 50% of business revenue from selling the data of consumers.
- Virginia (CDPA) – possess data on 100,000 consumers annually, or possesses data on 25,000 consumers and generates 50% of gross revenue from selling the data of consumers.
- Colorado CPA – possess data on 100,000 consumers or possesses data on 25,000 consumers annually and generates 50% of gross revenue or discounts from selling the data of consumers.
- Utah (UCPA) – $25 million in annual revenue and one of the following; possess data on 100,000 consumers annually, or generates over 50% of gross revenue from selling, controlling, or processing the personal data of at least 25,000 consumers (Utah residents, but not within B2B or employment contexts)
- Connecticut (CTDPA) – possess data on 100,000 consumers excluding data controlled solely for the purpose of completing a payment transaction, or possessing the data of 25,000 consumers and generating more than 25% of gross revenue from the sale of data.
Small businesses can be affected by privacy regulations. However, they must meet the thresholds for the State they are operating within.
Small Businesses and GDPR Compliance
If your small business operates in any of the 27 EU Member States, chances are good you’ll need to comply with GDPR.
Small businesses are not exempt from GDPR – which also covers EU citizens and anyone physically present in the EU when the data is tracked or collected. This means that even if you’re not doing business in the EU, you may be managing their data without knowing it if your consumers travel to the EU.
The only exception to avoid keeping a written record of your data processing activities for GDPR is if the business has fewer than 250 employees. But, if the processing activities could affect individuals’ rights, or are covered by GDPR article 9 or 10, or you process personal data regularly, that exception is unlikely valid.
While some privacy regulations understand the burden they could place on small businesses, others prioritize the individual’s right to privacy over economic success. For small companies operating internationally, compliance with privacy regulations can be a significant burden.
4. What are the fines and penalties if an organization doesn’t meet privacy law compliance?
As you would expect, the fines and penalties vary greatly depending on the regulation, violation, and number of people impacted. In addition to direct financial costs, businesses must also consider the indirect costs of their reputation taking a hit.
96% of Americans agree that companies should do more to protect consumers’ privacy. Furthermore, 1/3 of US consumers will stop doing business with organizations because of their data privacy practices.
What is the cost of losing consumers to companies that respect their privacy? It’s hard to define, but it’s a cost you must consider.
Various entities enforce US state privacy laws. Currently, the laws express these penalties and fines:
- California CCPA – Maximum fine of $750 for each violation (every affected consumer or transaction)
- Virginia CDPA – There is no private right of action. Up to $7,500 for each violation (every affected consumer or transaction).
- Colorado CPA – Up to $2,000 for each violation (every affected consumer or transaction), not exceeding $500,000 for any related series of violations.
- Utah UPCA – The attorney general may seek actual damages to the consumer and a penalty of up to $7,500 for each violation. If more than one entity is involved in the violation, the AG will allocate liability to each party based on their respective contribution to the violation.
- Connecticut (CTDPA) – There is no private right of action. However, a violation of this act shall constitute an unfair trade practice for the purpose of section 42-110b of the general statutes and shall be enforced by the attorney general.
GDPR divides fines into two tiers. The first tier is for less severe infringements. Fines can be up to 10 million euros or 2% of the organization’s global annual revenue from the previous financial year (whichever is greater).
The second tier is for more severe offenses. It can result in fines of up to 20 million euros or 4% of the organization’s global annual revenue from the previous financial year (whichever is greater).
For larger enterprises, fines have risen over $100 million euros. For example, Amazon was fined $877 million, WhatsApp was charged $255 million, and Google was fined $102 million for violating consent articles of the GDPR.
GDPR also gives the right to data subjects to seek compensation from organizations that cause them material or non-material damage.
5. Why should businesses care about data privacy?
Beyond regulations, fines, and penalties, as an employer you should keep your employees’ personal data private.
It’s likely that your organization has social security numbers, addresses, background checks, and other employee data stored. Who has access to this information? And if it is secure, is it also private?
Furthermore, people worldwide are more aware than ever of companies abusing their personal data. Keeping their data private and using it ethically is vital to retain your customers.
8 out of 10 customers reported that they’re willing to abandon a brand if their data is used without their knowledge.
Is avoiding privacy worth losing 80% of your customer base? Probably not.
6. What organizational departments manage data privacy programs?
The TrustArc Global Privacy Benchmarks survey findings demonstrate that there is little unanimity regarding where privacy “sits” within an organization. While 36% have IT managing privacy, it also often sits under Operations, Legal, and Finance departments.
Many organizations will tie privacy in with their cybersecurity efforts because those systems need to be in sync, and some areas overlap. Collaboration with legal is also necessary to stay abreast of changing data privacy regulations.
Overall, privacy doesn’t belong in one department. Privacy is the responsibility of everyone in the organization. As businesses and consumers rely more on technology, it’s critical to embed privacy into every decision across the enterprise.
One employee’s mistake could become a costly data breach. Train every employee within your organization continuously on company security and privacy practices.
7. What is sensitive data?
Across the many data privacy regulations terms like personal data, sensitive data, or sensitive information are presented. Depending on the law, there are different specific definitions to describe special classes of data.
GDPR defines personal data as any information related to an identified or identifiable natural person. It considers data subjects identifiable if they can be directly or indirectly identified, especially by name, identification number, location data, an online identifier, or other special characteristics.
Sensitive personal data, or special categories of personal data, are subject to a higher level of protection. These data include health, genetic, biometric, racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership.
The processing of sensitive personal data is severely restricted in article 9. When processing personal data or sensitive personal data, the organization will most likely need consent of the data subject or meet one of the other six requirements for lawful processing.
The definitions and requirements will vary based on the laws applicable to your organization. At the same time your organization can likely benefit from some overlap in the laws and requirements.
8. What do organizations need to know about individual rights and data subject access requests (DSAR)?
Individual rights are at the heart of privacy. Rights of the data subject, or consumer rights, are often referred to as individual rights.
A data subject is any individual whose personal data is collected, held, or processed. In essence, these are the rights that protect individual’s data and in many instances, put control of data into the individual’s hands.
Chapter III of GDPR focuses on requirements for individual rights management. There are eight GDPR data subject rights.
The right to be informed. Individuals have the right to know what data is collected, how it’s used, how long it will be kept, and whether it will be shared.
The right of access. Individuals can request an organization provide the individual with a copy of any personal data held about them.
The right to ratification. Individuals can request that data be updated if an organization holds incorrect or incomplete information about them.
The right to erasure/right to be forgotten. Individuals can request that organizations remove their data in certain circumstances. Including when an individual withdraws consent.
The right to restrict processing. Individuals can request that an organization limits the way it uses personal data.
The right to data portability. Individuals are permitted to obtain and reuse their personal data (provided by contract or consent) for their own purposes across different services.
The right to object. Individuals can object to the processing of personal data collected based on legitimate interest or task performance. Organizations will need to demonstrate compelling legitimate grounds for the processing that overrides the interests, rights, and freedoms of the individual or stop processing the data.
Rights related to automated decision making including profiling. There are strict rules in GDPR about this type of processing (making decisions with no human involvement), and individuals can challenge and request a review of the processing.
US State privacy laws borrow some of these individual rights as well. The California CCPA, as amended by the CPRA, includes eight individual rights: access, right-to-know, deletion, correction, opt-out/opt-in, data portability, limit use and disclosure, and response deadline.
The right to know and the right to limit use and disclosure are excluded from Virginia, Colorado, Utah, and Connecticut laws. Additionally, the right to correction is also excluded from Utah’s law.
Your organization needs a plan and process for managing data subject access requests. In almost all instances, time is of the essence, and DSARs require a response within a certain number of days (typically 30-45).
9. How does data privacy impact marketing and sales teams?
Before 2018, detailed tracking through first and third-party cookies enabled marketers to optimize marketing budgets most effectively to increase ROI. Post-2018, GDPR is in effect, and Safari and Firefox automatically block tracking.
As a result, McKinsey estimated that marketers would have to spend around 10-20% more to achieve previous return levels. And Gartner found that 73% of marketers fear privacy concerns will negatively impact their analytics efforts.
Year after year, more data privacy regulations are introduced, and the limitations on data collection increase. Organizations can expect to spend more to get the same marketing and sales results without privacy-intrusive methods. The increased spending is likely to result in a lower ROI.
The focus will shift from using third-party cookies and data to using first-party cookies and quality data willingly provided to organizations by their consumers. There are many ways your organization can collect data with consent and privacy in mind:
- Company-created communities
- Customer lists and databases
- Subscriptions to newsletters, blogs, etc.
- Webinar and event registrations
- Focus groups
- Written reviews
- Customer interviews
A shift to first-party data will also require organizations to become more creative and personalized when approaching their audience. To increase engagement, organizations should tailor resources and campaigns to individual preferences.
While privacy compliant methods may cost more and take more effort on the front end, the relationships built between your organization and its customers will be stronger and more authentic.
10. What is the best way to enforce data privacy while not impeding future innovation?
While it may seem like data privacy laws are just another complicated set of regulations your organization needs to comply with, many people believe privacy is a fundamental human right.
Treating privacy like a checklist can lead to innovation setbacks. Privacy shouldn’t be an afterthought for organizations. It’s time to embrace privacy by design.
Complying with data privacy requirements after a product is built is complicated and can slow down project timelines. Privacy by design implements privacy and security controls into a product or service at the outset of the planning process.
Although there’s no specific set of rules an organization should follow to implement privacy by design, there are a few basics to consider.
The first is data minimization. Instead of automatically collecting data, organizations should consider what data is needed and doesn’t need to be collected. When products are designed to collect only the minimum amount of information required, privacy and security risks are reduced.
Product development teams should also perform privacy and security risk assessments at all stages of development. This approach includes a complete inventory of the type and variety of personal information collected, and an end-to-end understanding of data flows for the life cycle of any data.
Don’t Forget to Assess Your Vendors
Privacy by design doesn’t end with internal development – it extends to third-party partners and service providers. Reduce risk by ensuring all vendors meet privacy and security compliance best practices.
It’s become increasingly common to see new partnerships and vendor agreements include privacy and security requirements in initial contracts. Whether selling to businesses or looking for funding, your partners expect proof of compliance with data privacy regulations.
Individual consumers are also catching on to companies that use their data irresponsibly. Some companies, such as Apple, use privacy as a competitive differentiator to attract new customers.
Data privacy regulations will only impede future innovation if you let them. Organizations that embrace privacy will avoid fines and gain new customers, vendors, and employees who value privacy as a human right.