Privacy Forecast #001
Dear Reader,
As countries continue to propose data privacy laws that may impact your life, business, or personal data, here are five key considerations that should be evaluated to better understand current and future data privacy laws and regulations (hereinafter “data privacy rules”).
I. The Scope of Data Privacy Rules.
Generally, data privacy rules apply to all entities who conduct business in a specific jurisdiction or produce products or services that target residents of a specific jurisdiction. If data privacy rules provide residents’ rights over their personal data, organizations that collect and use their personal data should conduct risk assessments to identify areas at issue. These organizations should review and update policies and procedures to reflect the requirements of data privacy rules which governs their collection, use and handling of data.
II. Requirements and/or Prohibitions of Data Privacy Rules.
As indicated above, organizations which may become covered by data privacy rules should reassess their collection and use of personal data. They should also modify their compliance efforts accordingly. When new data privacy rules come into effect, organizations will have to define key terms within those data privacy rules. This includes the definitions of (but is not limited to): personal data, data subject, controller, processor, and consent.
Also, some data privacy rules may restrict the transfer of personal data from one country to another. If an organization is restricted from transferring data under a data privacy rule, said organizations are encouraged to use software to manage data according to the requirements of the data privacy rule(s).
III. Predicting Data Privacy Regulatory Trends.
Organizations should comply with both the letter and the spirit of data privacy rules. With an understanding of the purpose behind a specific data privacy rule, organizations that may become subject to that rule will be able to reduce legal risks by anticipating regulatory enforcement trends or initiatives.
For example, if the purpose behind the passing of a data privacy rule is to prioritize data breach notifications, rather than providing residents with rights over their personal data, organizations may anticipate the data privacy rule to have a timely breach notification provision.
IV. Third-Party Vendors.
Organizations remain responsible for the non-compliance of third-party vendors with whom they do business. Even if organizations are not subject to a data privacy rule, third-party vendors that are subject to that data privacy rule should undergo risk assessments and design policies and procedures to comply with the data privacy rule.
V. Consequences of Noncompliance.
Covered organizations must comply with data privacy rules or face litigation and/or regulatory fines.
For example, since coming into effect in 2018, enforcement of the General Data Protection Regulation (GDPR) by European regulators has been costly. Many organizations subject to the GDPR were heavily fined for compliance violations. Fines for non-compliance can be as much as 4% of an entity’s worldwide revenue.
If a data privacy rule contains a similar fine to the GDPR, Organizations that become covered by that data privacy rule will become subject to significant fines.
Conclusion
As data privacy rules become more comprehensive, organizations should consider these five considerations to better understand and comply with current and future data privacy rules.