Every year on January 28, Data Privacy Day is observed as part of an international effort to raise awareness about the importance of data privacy and security. Whether you are an individual interested in protection of your own personal data or a business trying to protect your clients, employees, or other personal information, we hope this article can serve as a reminder to review how you are protecting your valued personal data.
Here are some of our top data privacy and data protection reminders for businesses for the upcoming year.
Know What Type of Personal Data Your Business Collects
Personal data is defined by the European Commission as “any information that relates to an identified or identifiable living individual.”[1] Multiple pieces of personal information which, when put together, would identify an individual, is also personal data. Whether a country, state, or locality uses the term “personal data” or “personal information” in their laws or regulations, the general concept remains the same.
Examples of personal data include: first and last name, physical address, personal email address, location data (such as on a cell phone), IP address, driver’s license number, social security number, vehicle identification number, and even data held by a medical provider that could identify a unique individual.
Your business more than likely collects some type of personal data. Taking a first step to identify what type of personal data you collect will help your business comply with any applicable data privacy laws.
Review or Implement Your Privacy Policy
Your privacy policy is your best mechanism for communicating your data privacy practices to your customers and regulators. Besides its utility as a transparency and communication tool, several data privacy laws, including the California Consumer Privacy Act, require annual review and publishing of company privacy policies.
The annual review provides an opportunity for your business to confirm the information published in the policy is current and accurately reflects your practices. Knowing what type of personal data your business collects and why is pertinent, as you will need to disclose the type of personal data collected and scope of use for that data.
To provide the utmost transparency to customers and others interacting with your business, carve out an area of your website to house the current version of your policy, with a linked archive to versions from the past three to five years. When updating your policy, provide a summary at the top or bottom of the new document identifying what changed from the previous year.
Consider How Your Business Responds to a Data Subject Access Request
Knowing what type of personal data your business collects and being transparent about it are important steps toward compliance, but what will your business do if a data subject exercises their right of access under applicable law? What if they ask you to delete their personal data from your systems?
Jurisdictions with data privacy laws and regulations provide various rights for individuals, with an underlying right that a person can “access” the data a company holds about them. Under the EU-GDPR and CCPA, data subjects can ask a company the types of personal data collected and what specific pieces of their personal data the company holds. Both laws also provide a right of deletion: an individual can ask a company to permanently remove their personal data from their systems, and in most circumstances the company will need to comply with the request within the legal timeline.
Establishing an internal process and procedure for timely responding to these types of rights requests is vital for any business subject to a data privacy law or regulation creating these rights. The key is identifying where the distinct types of personal data are stored on your systems, understanding which individuals in your business have access to those systems in order to assist in processing these requests, and maintaining a structured workflow to ensure proper oversight and ownership of this process.
Create and Enforce a Data Retention Plan
Developing and maintaining a data retention plan for your company will help minimize the amount of personal data your business collects, facilitate internal organization to effectively respond to data subject access requests, reduce the amount of storage and personal data for which you are responsible, and overall increase your company’s strength in the area of data privacy and security.
In setting up a data retention plan, you should make sure it addresses (i) what information is covered; (ii) the timelines you are required to keep such information, which may differ under federal or state law; and (iii) how your company will destroy or remove personal data from your company’s document management system.
The timelines and requirements your data retention plan sets forth should be reasonably enforceable to ensure compliance is achieved.
Maintain Appropriate Privacy Contractual Controls
Knowing what personal data you hold and where it is stored is not enough. Your business also needs to be continuously aware of others with whom you share personal data, especially third-party sub-processors. Data sharing relationships are often spelled out in contractual provisions or addenda. If you work with entities in different countries, cross-border controls such as standard contractual clauses may also come into play. It is important for your business to understand how personal data flows through your company systems, and to keep in mind data sharing interactions throughout the course of your business functions, ensuring the proper controls are in place.
Layer Your Security Controls
An important step in ensuring your company is secure is addressing who has access to the personal data your company stores. Security controls and tools you should consider using include physical controls, digital security controls, and cloud security controls.
- Physical security controls generally refer to traditional methods of security such as locks, guards, or access key cards that limit a person’s access to certain areas where personal data is kept, stored, or accessible.
- Digital security controls limit a person’s access to your businesses systems through detailed password requirements, antivirus software, or multi-factor authentication (MFA). MFA is a highly-effective tool, as it has been found to prevent up to 99.9 percent of data security hacks.
- Cloud security controls require coordination with your cloud services provider to ensure the necessary protections are in place to prevent unauthorized access to the stored data and workloads.
Educate Your Workforce
Lastly, your employees are your best defense against phishing and other cyberattacks. If you have not already done so, it should be your 2022 resolution to plan regular cybersecurity trainings for your employees. The trainings should make employees aware of what types of attacks exist and how to identify signs and risks that could expose the company to an attack.
Implementing clear and reasonable enforceable policies and procedures will help your employees know what their responsibilities are, how they can fulfill those responsibilities, and how to react promptly in the case of a data breach.
While cybersecurity and data privacy is sometimes focused on the technology itself to prevent data breaches, it’s important to account for the human element and ensure all employees understand their responsibilities in protecting your company’s security.
What’s New with U.S. State Legislation?
To date, three states – California, Colorado, and Virginia – have enacted consumer data privacy laws that cover many of the topics above.
- California: Currently, the California Consumer Privacy Act of 2018 (CCPA)[2] governs consumer data privacy in California. On January 1, 2023, the California Consumer Privacy Rights Act (CPRA) will take effect, implementing additional consumer data privacy laws. The CPRA does not replace the CCPA but rather adds to it by expanding individual rights, introducing new governance measures, and creating the California Privacy Protection Agency.
- Virginia: In Virginia, the Consumer Data Protection Act (CDPA)[3] also becomes effective at the beginning of next year on January 1, 2023. Similar to the CCPA/CPRA, the CDPA prescribes responsibility and privacy protection standards for businesses that handle or process personal data. Enforcement of Virginia’s CDPA will be by the Attorney General.
- Colorado: In Colorado, the state legislature enacted the Colorado Consumer Protection Act (CPA)[4] which takes effect on July 1, 2023. The law addresses consumers’ rights and the responsibilities of businesses that handle or process personal data. Similar to Virginia, the Attorney General will be the enforcer for any violations.
In preparation for 2023, businesses will want to become more familiar with the additional requirements of the CPRA, the Colorado CPA, and the Virginia CDPA.
What’s Going On at the U.S. Federal Level?
The United States is lagging in producing a comprehensive data privacy law at the federal level. Dozens of privacy-related bills have been proposed over the past decade from both sides of the aisle and in both the House and Senate chambers. These bills deal with narrow data privacy-related issues such as facial recognition and artificial intelligence or access to records by law enforcement.
In the absence of a comprehensive federal privacy law, some suggest the U.S. Federal Trade Commission may promulgate and enforce an overarching, non-sector specific privacy rule, although any efforts in that direction have not yet been fully explored or finalized.
Please contact your Varnum attorney or any member of the firm’s Data Privacy and Cybersecurity practice team with questions on how you can best protect your or your business’s private information.
[1] There are multiple definitions of “personal data” or “personal information.” While worded slightly differently, they all promote the same understanding of what constitutes personal data. For the purposes of this article, we chose to use the definition provided by the European Commission. https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
[2] Cal. Civ. Code §§ 1798.100 et seq. Note: the CCPA/CPRA has certain threshold requirements before its provisions apply. Generally, a business is subject to the CCPA/CPRA if: (1) it does business in the state of California, and (2) it meets one of the following criteria: (i) have an annual gross revenue of more than $25,000,000 in the preceding calendar year; (ii) buys or shares personal information of, 1000,000 or more consumers or households; or (iii) derive 50% or more of its annual revenue from selling consumers’ personal information.
[3] 2021 H.B. 2307/2021 S.B. 1392. The CDPA also has threshold requirements for its application. Generally speaking, CPDA applies to business that either conduct business in Virginia or target Virginia residents through their products or services, and (1) controls or processes data of at least 100,000 consumers or (2) controls or processes personal data of consumers and derives over 50% of gross revenue from the sale of personal data.
[4] Colo. Rev. Stat. § 6-1-1301 et seq. The CPA also has its own threshold for application requiring that the business conduct business in Colorado or produces or delivers commercial products or services to Colorado residents, and (i) control or process the personal data of at least 100,000 consumers during the calendar year, or (ii) derives revenue or receive a discount on the price of goods or services from the sale of personal data.