Emerging Data Privacy and Protection Laws: GDPR, CCPA and beyond
Introduction
Data Privacy has become a major concern for customers before initiating any transaction that requires sharing any sensitive data with the organization to avail its products or services. Data Privacy violations such as Cambridge Analytica and Facebook data misuse scandal, in which the personal data was acquired without consent, harvested with psychological insights, and used for political advertising have spur doubts among individuals on how their data is managed is used by companies. Data breaches, network infiltrations, bulk data theft and sale, identity theft, and ransomware outbreaks have all occurred over 2020. Report from “Risk based security” declared year 2020 as the “worst year on record” revealing a staggering ~36 billion records exposed through the end of Q3. Despite pandemic and economic slowdown, cyber attackers have not given anyone a break this year. (List of the biggest data breaches of 2020).
According to Gartner — “By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today”. With the increase in customer concerns over the protection of their sensitive data privacy, compliance to the impending avalanche of privacy regulations is of paramount importance for organizations to regain customer trust. Following the introduction of GDPR (Global Data Privacy Regulation) in 2018, more than 60 state and federal jurisdictions around the world have enacted or proposed postmodern privacy and data protection laws. These include Argentina, Australia, Brazil, Egypt, India, Israel, Japan, Kenya, Mexico, Nigeria, Panama, the U.S., Singapore, South Africa and Thailand. The modern regulations define a range of requirements enabling a cradle-to-grave data privacy across the enterprise — collect, store, process, retain, share, and forget the personal data of individuals (customers, employees, prospects etc.). However, it is very challenging for companies to do so because data sprawls massively across systems and vendors. This article focusses on understanding and comparing few of the prominent data regulations, and what are the main areas to address in formulating any data privacy strategy.
A sweeping view of what’s Sensitive: Definition of Sensitive Data
Before we talk about the different regulations, it is important to get a holistic view of what categorizes as sensitive data.
“Sensitive Data includes information about an individual that (1) can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; (2) is linked or linkable to an individual, such as medical, educational, financial, and employment information; (3) falls within the definition of “personal information” under Md. Code Ann., General Provisions § 14–3501(d); or (4) falls within the definition of “personal information” under Md. Code Ann., St. Govt. § 10–1301(c).”
Some of the common types of sensitive data are:
· Personally Identifiable Information (PII) — any data that can be used to identify or trace an individual identity. Some of the commonly considered examples of PII are: Social Security numbers, mailing or email address, and phone numbers, IP address etc.
· Protected Health Information (PHI) — as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA): any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a third-party associate) that can be linked to a specific individual.
· Payment Card Industry Data Security Standard (PCI DSS) — an information security standard that optimizes the security of organizations’ payment cards information.
· Education records — as defined by the Family Educational Rights and Privacy Act of 1974 (FERPA). FERPA governs access to educational information and records by potential employers, publicly funded educational institutions, and foreign governments.
· Customer information — as defined by the Gramm-Leach-Bliley Act (GLB Act, GLBA or the Financial Modernization Act of 1999), requiring financial institutions to explain how they share and protect their customers’ private information.
There are variations in the definition of sensitive data information that different data regulations are trying to protect. It is imperative for any organization to set-up a lifecycle for managing sensitive data, including but not limited to, its definition, discovery, defense, monitoring and retention phases.
Understanding Data Regulations
“Privacy is not something that I’m merely entitled to, It’s an absolute prerequisite” — Marlon Brando
Privacy is everyone’s right and companies need to honor that right at a granularity of an individual in terms of Data Protection, Data Access, Data Deletion, and breach notification. Virtually every country has enacted some sort of privacy laws, here is a list of some of the leading regulations:
General Data Protection Regulation (GDPR)
This regulation introduced in 2018, applies to all the residents of all the 28 member counties in European Union, regardless of the company’s location that collects data. Explicit consent is a major requirement before collection of personal data from EU data subjects.
The below rights should be communicated to Data Subjects in a clear, easy to access privacy policy on the organization’s website:
· Right to be Informed — about the collection, storage, and usage of their personal data when the data is obtained. Also, information about the third parties if any data is shared with them.
· Data Subject Access Request — (DSAR) Readable report of all the data on a subject
· Right to Rectification — right to rectify if any data is incomplete or inaccurate
· Right to Erasure — delete all personal data on certain grounds upon request within 30 days
· Right to Restrict Processing — refuse to have their data processed, including automated profiling
· Right to Data Portability — request data to be transferred from one electronic system to another at any time safely and securely without disrupting its usability.
· Right to Object — object to how their information is used for marketing, sales, or non-service-related purposes. Opt-out of specific services.
· Right to be Notified of a Breach — 72-hour window to inform subjects and supervisory authorities about data that has been exposed through unauthorized access.
GDPR compliance requirements include staffing new positions in the organizations such as a Data Protection Officer (DPO) and a Chief Privacy Officer (CPO).
GDPR mandates a maximum of a month’s time for organizations to respond to DSARs
US Data Privacy Laws
There is no overarching federal law that governs data privacy in USA but a beehive of federal and state privacy laws. Listing few of the recent state data privacy laws.
California Consumer Privacy Act (CCPA)
CCPA data protection law went into effect on January 1, 2020 in California, borrows many concepts
from the GDPR, affects organizations that collect and use personal data about residents of California state. The personal data that is protected is substantially similar but CCPA definition also includes information linked at the household or device level (IP address etc.).
Consumer Rights under CCPA include -
· Right to Know — what personal information is being collected about them
· Right to Disclosure — whether their personal information is sold or disclosed and to whom.
· Right to Opt-Out — say no to the sale of personal information.
· Right to Access — the personal information stored about them.
· Right to Non-Discrimination — equal service and price, even subjects exercise their privacy rights.
· Right to Erasure — deletion of all the data held on a subject upon request, with certain legal exceptions.
Unlike the GDPR, CCPA does not require the appointment of a dedicated data protection officer, or any similar role (including a chief privacy officer, or CPO).
CCPA allows a 45-day window for organizations to respond to DSARs, with extensions of up to 90 days permitted.
New York SHIELD Act
Stop Hacks and Improve Electronic Data Security (SHIELD) Act is fully enforceable in March 2020, amending New York’s existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. It provides better protection for New York residents from data breaches of their personal information and broadens the scope of consumer privacy.
Inspired by GDPR and then CCPA, there are many state bills addressing data privacy in different states
Brazil: Lei Geral de Proteção de Dados Pessoais (LGPD)
LGPD Brazil version of GDPR, came into effect from September 2020, apply to any organization that stores or processes personal data about the citizens regardless of where they are located.
Personal data is more precisely defined under LGPD, including information such as that concerning an individual’s racial or ethnic origin, health or trade union membership.
LGPD is broadly similar to GDPR in data security, consent for processing and data transfer.
Data Subject Access Requests (DSARs): the same fundamental rights of access, including right to correction and right to erasure, as the GDPR does for EU citizens.
LGPD requires the appointment of a dedicated data protection officer (DPO).
LGPD mandates a tight 15-day window to respond to DSARs, which might require considerable automation in DSAR reporting.
South Africa: Protection of Personal Information Act (POPIA)
POPIA comes into effect in July 2021, restricted to organizations that are either based or process personal data in South Africa including the cloud infrastructure region is South Africa.
POPIA is still very similar to the GDPR, sharing much the same guiding principles, including accountability, transparency, security, data minimization, purpose limitation and the rights of data subjects.
The scope of personal data is more extensive, covering not only the information you collect about individuals but also about companies and other types of organization, including biometric data, religious or philosophical beliefs, ethnic origin, trade union membership, political persuasion, sexual orientation
Under POPIA organizations don’t generally need to seek consent to collect an individual’s personal information.
The POPIA grants data subjects similar rights of access, correction and erasure as the GDPR. POPIA designates the role of information officer with similar responsibilities to those of a data protection officer (DPO) under the GDPR.
Journey Towards Compliance
Due to so many global and state regulations, it is important to define a data privacy strategy at corporate level that meets the different stipulation of each law. For being a Compliant Company, there are a wide range of actions and decisions an organization must make beyond IT security of digital assets, to include streamlining business processes and setting up business and technical controls.
Focus on the assessments of below areas in the compliance journey –
Analyze — Examine data across all touchpoints in which personal information is collected and utilized. Who has access to it? What personal data elements are gathered? What is the type and format of data stored?
Inform — Organizations must notify individuals the purpose for collecting personal data from them.
Security — Revisit the existing set-up for sensitive data protection based on the security objectives: Confidentiality, Integrity and Availability (CIA triad) and ensure reasonable precautions are taken for Data access control, protection — encryption, pseudonymization, masking , and retention etc.
Consent — Give individuals an option to authorize (or Opt-out) if the personal data collected can be shared to a third-party or processed for providing other services.
Access — DSRs are a new customer right, plan on how this process can be automated. Evaluate the data collection points and information-sharing policies, such as application programming interface (API) integration, to capture information and communicate to the customer. Also, mechanisms should be available to execute requests such as Right to erasure.
Governance and Change management. Data Protection Office (DPO) should coordinate all supporting programs and projects, facilitate funds by ensuring sponsorship from senior leaders.
Since there are different stipulations for each regulation, the same preparation and action plans might not work as-is to comply with the new regulations being legislated but a robust framework will enable to adopt to different intricacies.
Conclusion
Compliance will be a continuous journey for the organizations as each new regulation is enacted. The first step is to identify gaps of the new regulation with the existing ones, including CCPA, GDPR. Next step involves mapping each set of findings to the process steps, PI category, controls to implement and relevant applications. Final step is to create an implementation plan of the data privacy strategy — discovery, defense, and detection requirements.
Going forward there will be requirements when multiple organizations need to collaborate to build a mutual, robust machine learning model for solving common issues in a domain, without openly sharing their data with each other. For instance — Banks can collaboratively train models to detect money laundering while keeping their individual transaction data private. Healthcare institutions can privately pool their patient data so they can collaborate on medical studies. I was intrigued by a session on secure and collaborative machine learning at ODSC this year from MC2 team. Where they explained how their platform called MC2 (Multi-party Collaboration and Coopetition) enables multiple parties to build a machine learning model while addressing constraints over data privacy and access rights. It would be interesting to see how the traditional organizations, especially banks embrace this idea of collaborative learning considering the privacy concerns lately.
