10 Steps for Tackling Data Privacy and Security Laws in 2020
Data privacy laws, such as the CCPA, GDPR, and HIPAA, are here to stay and significantly impact everyone in the digital era. These steps will guide organizations to prepare for compliance and ensure they support the fundamental privacy rights of their customers and users.
By Anas Baig, Product Marketing Lead at SECURITI.ai.
Data privacy is real, and it is here. Organizations are already scrambling to get compliant with data privacy regulations such as the CCPA and GDPR. According to the UN, 107 countries (of which 66 were developing or transition economies) have put in place legislation to secure the protection of data and privacy.
Apart from avoiding fines, there can be advantages associated with complying with data privacy laws. According to the survey by Cisco in 2019, “97% of companies realized benefits such as competitive advantage or investor appeal from their private investments”.
With all that being said, organizations need to have a definite plan to comply with these regulations. To help you on this journey, here are ten steps that can help organizations tackle data privacy and security laws in 2020.
1. Set Expectations
Compliance is not a one-time thing but rather a slow and continuous effort. Creating a well-built compliance and risk management program will take time, resources, and dedication. This will also require organization leadership so keep higher authorities in the loop from the beginning, informing them of the costs of building a successful program, and the costs of doing non-compliance.
2. Build Your Team
The IT department cannot resolve the challenge of keeping data secure and private on its own. Technological protection is crucial, but it cannot replace healthy administrative and organizational controls. Organizations should create teams comprising sales, finance, R&D, marketing, operations, legal, HR, IT. Altogether, the team should have immense institutional knowledge, a thorough awareness of data laws, and apply it to the business, considering the use of data and the potential threats involved.
3. Keep Your Policies in Writing
Organizations need to keep a record of all their data privacy policies in writing. Writing allows for consistency and can support discipline in case any rules are violated.
4. Verify Vendors
Privacy regulations could potentially hold the organization responsible for a data breach on the third-party vendors' end. A recent Deloitte poll showed, “70% of respondents indicated a moderate to a high level of dependency on external entities such as third-party vendors”. Organizations must assess their vendors before starting a business relationship with them to avoid fines.
5. Accurate and Accessible Communication
Under privacy regulations such as the CCPA and HIPAA, organizations are required to make their data privacy and security practices visible to the public. Inaccurate statements that overstate security can lead to lawsuits against deceptive trade practices. Organizations need to make sure that their policies are accurate and easily accessible.
6. Know the Law
Your legal team doesn't need to be full of lawyers, preferably people that have an awareness of legal mandates and a general sense of direction of where the law is headed. Participating in trade and similar markets can seem helpful, as well as subscribing to dedicated legal resources and blogs.
7. Training and Awareness
With the recent phishing attack hike, organizations should offer role-based training to all their employees. The training should include general security awareness sessions to reduce data risks that will help employees to better understand and comply with the company policies. It is also important to teach your employees about the use of VPN, antivirus, firewall, and other security tools for better online exposure.
8. Embrace Technology
To effectively implement the guidelines, your company will have to make changes and upgrade the system software. Because such updates would require months on end, it would be wise to file in IT change requests as soon as possible. Failure to update your systems could result in significant legal exposure related to the collection, disclosure, and erasure of personal information.
9. Automate Your Operations
Regulations like the CCPA and GDPR have set in motion a realization that manual methods wouldn't be feasible anymore. It would be virtually impossible to comply with current and future regulations without automation. Robotic automation can help organizations comply with these regulations swiftly and efficiently.
10. Be Reasonable with Your Policies
Organizations need to make sure that their data security safeguards are reasonable. It may not be easy to define reasonable, but this should be the principle of your security program.
In this digital era, organizations are shifting all their data to the cloud, and data privacy regulations are at an all-time high. It is necessary for organizations to set up a plan that will help them towards compliance. It may seem like a large expenditure, but organizations could be in for a lot more if they fail to comply with regulations such as the CCPA and GDPR.
Data privacy is a person’s fundamental right, and companies need to work towards giving their consumer’s rights. In order to do so, organizations need to follow these 10 steps that we shared to comply with privacy laws.
This is the start of a new digital era, the question is, are you prepared for what's about to come?
Bio: With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley-based company - SECURITI.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.
- Privacy-preserving AI – Why do we need it?
- Analyzing GDPR Fines – who are largest violators?
- Applying Data Science to Cybersecurity Network Attacks & Events