The EU Global Data Protection Regulation (GDPR) has ushered in an era of user-controlled data. With the January fine of 50 million euros levied against Google for failing to properly disclose to users how their data is collected and used for targeted advertising, data protection authorities (DPAs) in EU member states have made it clear that they intend to enforce every aspect of the GDPR with “effective, proportionate, and dissuasive” penalties.
The ability to protect personal data has become top of mind across the globe, and individual states such as California are following the EU’s lead, enacting data protection laws that mirror some of the protections in GDPR. The California Consumer Privacy Act (CCPA)—passed in June of 2018—gives residents significant insight into and control over how their data is collected, used and handled.
Its requirements are completely new to the U.S. and from an IT planning and management perspective, the January 2020 compliance deadline is right around the corner. Although the CCPA incorporates certain requirements that overlap with the GDPR’s individual rights requirements, it isn’t modeled after the GDPR. GDPR compliance does not equal compliance with the CCPA.
In addition to the CCPA, 11 other U.S. data protection laws designed to give consumers greater control over their data have been passed in the last year. If you are unsure which of these regulations apply to your organization, you may need to engage the services of privacy consultants, and/or experienced privacy and technology-focused lawyers.
What it Means for Your Security Strategy
While these regulations originate in different states and apply to different organizations, their primary message is the same:
- Protect your data, or pay a steep price.
- More specifically, protect the sensitive data you collect from customers.
How can you protect personal data, and implement the necessary changes for compliance?
Three Keys to Success
Whether it’s the CCPA, GDPR or other data protection and privacy regulations, efforts should be focused on discovering and identifying regulated data, and then managing and protecting it. The majority of requirements can be met through the development and/or maturation of programs many large enterprises have already begun to develop: data-centric security, incident response, and third-party risk management.
Read “Cybersecurity in the Age of Data Privacy: 3 Keys to Success” to find out how you can implement robust data-centric security, incident response and third-party risk programs to help your organization securely collect, store, and use personal data, keep up with the evolving regulatory landscape, and reduce the likelihood and impact of data breaches on your business.