GDPR & CCPA Are Just the Beginning

Meanwhile, in June 2018, Alabama became the 50^th and final state to adopt a data breach notification law, introducing a 45-day written notification deadline for all breaches affecting over 1,000 Alabama residents.

While the U.S.'s data privacy regime has begun to take shape in a piecemeal, state-by-state fashion, national legislation isn't outside the realm of possibility. Democratic senator Ron Wyden, one of Congress's best-known privacy hawks, has begun circulating a draft bill that would expand the FTC's powers. The bill would establish privacy and cybersecurity standards, while giving the FTC the power to fine companies for their first offense.

Brian Schatz, the senior senator from Hawaii, introduced his own bill, co-authored with 14 other Democrats, in December. The Data Care Act of 2018 would require companies to "reasonably secure" identifying information and vow not to use it in harmful ways.

The Unique Compliance Challenges Facing Middle Market Firms

Despite last year's GDPR deadline, many organizations are still struggling to implement all the data privacy compliance standards required of them. Several large companies have already faced substantial fines from the European Commission for failing to adequately protect personal data from breaches and/or properly disclose how their consumer data was being collected or used. Others have been fortunate to avoid penalties thus far, but any lingering leniency has come to an end.

Companies of all sizes face unique challenges when it comes to ramping up their privacy governance and compliance programs. While larger organizations might have the budget, companies of all sizes are strapped for resources to support the heavier compliance burden.

Then, there's the fact that there are still some organizations that haven't taken the GDPR as seriously as required — or are operating under the false assumption (or hope) that they fall outside its jurisdiction. According to BDO's 2019 Inside E-Discovery & Beyond Survey of corporate counsel, just 2% of respondents believe the GDPR doesn't apply to them. Those 2%—and any other late adopters — have a much steeper hill to climb to get into compliance with the CCPA and other U.S. legislation.

Efficiency and expediency are therefore key: Organizations need to harmonize disparate rules and regulations to avoid redundancy and streamline compliance efforts. Automating data discovery and individual data request responses can also yield significant efficiencies. And in some cases, outsourcing data privacy and protection management can be more cost-effective and less time-intensive than hiring or retraining internal employees.

Implications of Data Privacy Regulations

If there was any doubt, it's now abundantly clear: data privacy regulation comes with real teeth. Companies that violate the GDPR are potentially on the hook for up to 4% of their gross annual turnover — and fines upward of $200 million have already been levied. With the growing number of Data Protection Commissions staff in the EU growing, companies can only expect greater scrutiny and enforcement in the GDPR's second year. The CCPA's fine of $7,500 per violation might seem relatively small in comparison, but if you consider a tech company with 1 million+ users, the potential for a minimum statutory damage of $100 up to $750 per affected California resident adds up pretty quickly. Throw in a class action lawsuit, claimed damages could lead to exorbitant costs for companies.

Even if an organization evades regulatory action, the reputational impact and loss of trust can be just as damaging. In the wake of a privacy breach, customers may pull their dollars and move to a competitor. They may even launch public campaigns against those organizations that failed to protect customer's personal information (PI).

By putting individuals in the driver's seat, the GDPR, CCPA and other emerging data privacy regulations have dramatically changed company-customer relationships — and how businesses view customer engagement. Because individuals now have the right to withdraw consent at any time, as well as demand disclosure of how their data is being collected, processed and shared, the burden falls to companies to prove and record how an individual agreed to certain actions.

Consequently, there are far-reaching implications for every business department. Sales and marketing teams will need to reevaluate the way they prospect and manage their marketing campaigns (especially those that are digital). Legal departments will have to continuously review all existing and forthcoming privacy regulations to update necessary disclosures and ensure program compliance. IT will be on the constant lookout for new cyber threats and will be on the hook for insufficient training or company negligence.

However, the growing compliance burden is not without blessings. Organizations that take data privacy seriously will be able to build up trust and loyalty with their customers and in their brand. It will also level the playing field: All things being equal, customers will opt to entrust their data to firms with strong, documented privacy and cybersecurity practices.

Improving Data Privacy & Security: The Road Forward

Shoring Up Data Privacy

With all this in mind, how can companies prepare to face the numerous data privacy regulations ahead?

If they haven't yet, they should start or continue to:

• Interview the teams primarily responsible for interacting with particular types of data, as well as relevant service providers;
• Identify and map their data sources, whether it's in-house or external to their operations;
• Operationalize their privacy policies to drive employee compliance and enforce non-compliance;
• Gather documentation to update and maintain data registers, logging information about processes and systems that store personal and sensitive information;
• Train employees regarding their responsibility to protect personal information (and continue to do this on a regular basis);
• Restructure data retention and classification capabilities by updating records retention schedules, developing more stringent data disposition practices and developing and updating data classification programs; and,
• Ensure that their online privacy policies and notices match their actual practices.

Companies seem to be taking a less aggressive approach in their CCPA preparations than they did with the GDPR. Nevertheless, those affected by the former — including organizations that operate in California and collect personal information of California residents, their households or electronic devices — need to be aware that being GDPR-compliant does not necessarily prepare them for also being CCPA-compliant.

But there is a way forward. Those that are affected by the CCPA but have not yet instituted a GDPR individual rights response program should now establish a CCPA consumer rights management program and integrate the two. To do this, they will first need to consider the teams currently in place who manage customer requests or provide help desk support; the necessary infrastructure may reside within those teams. Then, they should consider the staff and whether they have the capacity or ability to respond to and track consumer requests. If not, they should consider adding resources, both technology and customer service.

Finally, companies should begin documenting their processes now. With a 12 month "look back" requiring companies to catalog, preserve and be prepared to disclose PI dating back 12 months before the CCPA's effective date, organizations will need to have current information about how they use and share data.

*****

Karen A. Schuler is a Principal, Governance, Risk & Compliance National Leader at BDO USA. As founder of one of the first digital forensics consulting firms in the 90's, she quickly became a thought leader in the areas of e-discovery and digital forensics and focused on intellectual property, securities and insider trading investigations. Over the years she has authored wide-ranging information governance, data protection and e-discovery books and articles and has provided expert testimony for several high stakes litigations, among being named an expert in more than 100 cases over the last 15 years.