By now, many of you have heard of the GDPR or the General Data Protection Regulation which is a regulation in EU law on data protection and privacy that was made in 2016, and implemented in 2018.
Companies around the world needed to adapt to the new normal created by this regulation and apply new practices to comply with its rules, often creating huge shifts in their operating practices. Around the time of the regulation’s implementation, you might recall the flood of pop ups on many company’s websites detailing how they were tracking your data, or giving options to review their privacy policies, or even allowing you to opt-in to certain tracking options while citing the GDPR. This was a huge moment in the history of data protection and privacy, and was a stepping stone to where we are at as a global online community today.
Early this year, we reached another pivotal point in the history of data privacy and protection in the United States with the passing of the CCPA, or the California Consumer Privacy Act, which was passed in 2018, and became effective in January 1st of this year (2020). With the current COVID-19 crisis, we feel as though the noteworthiness of this act has been overlooked, but once the virus begins to get under control, businesses will have to really pay attention to this huge development. Why, you ask? Let’s dive a little deeper.
Why Is the CCPA Important to Your Business?
The intentions of the CCPA are to provide California citizens with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
As an organization, you need to accommodate these new privacy regulations, and it’s important that you get it right because under the CCPA, you are subject to a fine of up to $7,500 per violation.
This penalty can add up quickly, and from how we have seen similar laws develop in the past, many other states will not be far behind, and may have additional language to their regulations. Many businesses are prone to not acting until they absolutely need to, so let us be the first to tell you… You absolutely need to act.
NIST Privacy Framework
The National Institute of Standards and Technology had created a well-known cybersecurity framework, which our professionals have been familiar with, and recently released the NIST Privacy Framework, which is related to the cybersecurity framework in a number of ways. This new framework has abstracted privacy concepts to allow for organizations to create target goals within the framework to work their way toward a robust privacy program.
Our familiarity with these NIST frameworks along with the fact that there is often overlap between cybersecurity programs and privacy programs has allowed us to ramp up quickly to help our customers navigate creating privacy programs that help them not only comply with current privacy policies and standards, but put them ahead of the curve for any new laws that may arise in the coming months and years.
When working around something completely new and unfamiliar, our goal is to come in and help assess what targets an organization should be working toward to make their way toward compliance under applicable laws that they need to be operating under, and flesh out their privacy programs to help them get prepared for the future.
If you’re looking to get ahead of this new digital privacy landscape, we’d love to talk about how we can help. Fill out the form below to get in contact with one of our Cyber Risk and Compliance professionals.