Wake Up America: Despite Slow-Moving U.S. Consumer Privacy Regulation, Organizations Must Approach Privacy and Security Critically
According to several cybersecurity reports, a significant amount of data breaches and security incidents are caused by employee negligence or error. Although most of these data breaches are unintentional, it is critical that your organization put in place forward-thinking privacy and security programs to mitigate risk and protect your business.
Privacy became a critical point of focus for many global organizations when the European Union enacted the General Data Protection Regulation, a law that seeks to better protect the personal data of individuals in the EU. While many individuals across the world were already skeptical about how organizations used their personal data, the GDPR spurred further concerns over data ownership and secondary data usage – and put the onus on businesses to comply and ensure personal data is properly processed. Moreover, it drove many of those same organizations and others to consider adopting the GDPR’s privacy principles and security measures across all personal data processing activities.
The future of privacy and security remains somewhat unclear and situationally dependent for every organization, but what we do know is that employees must be educated, trained, and held accountable on privacy and security compliance measures.
Furthering the critical notion of employee-wide training is the fact that regulatory penalties and data breaches impact companies across the globe. Recently, companies like Google, British Airways, Equifax, and Marriott faced significant regulatory penalties for data breaches that exposed individuals’ personal data. Many of these breaches can be attributed to criminal hacking, but also stem from unaddressed internal vulnerabilities and security culture failures.
Privacy and security continue to evolve as global concerns. The GDPR has certainly catapulted other jurisdictions to consider and pass data protection and privacy legislation. However, the United States’ failure to do so has incited some states to create their own patchwork of privacy legislation. California was the first state to do this with the California Consumer Privacy Act. The Act is currently set to go into effect on January 1, 2020, and a multitude of other state privacy laws loom behind it. Without critical and timely preparation efforts now, many organizations will arguably be unable to sustain and comply with the forthcoming plethora of data protection and privacy laws.
Don’t wait for new data protection and privacy regulatory penalties.
Every U.S. organization needs to ensure its employees, regardless of role, understand the key tenants of privacy and security. While many default to thinking a topic like data protection and privacy compliance falls under the purview of legal professionals, experts from the International Association of Privacy Professionals agree that a joint committee of legal, practical, and operational expertise provides stronger privacy and security risk mitigation, and ensures the best approach towards compliance.
IAPP points to Facebook’s recent challenges, with the organization becoming the source of one of the largest breaches of personal data to date, as a strong example. The organization had support of a full, competent legal team, security team, and data protection management program at the time of this breach, but still exposed itself to risk when business teams, engineers, and operational leaders were not regularly involved.
Legal expertise is certainly required to thoroughly understand legislation and accurately craft policies and contracts; however, it can’t fully protect your organization without operational compliance and widespread knowledge to carry out preventative policies and procedures.
Use your legal, information technology, and information security departments to develop and implement privacy and security programs.
While everyone in the organization is ultimately responsible, your legal and IT departments are typically the first touchpoints to initiate and maintain privacy and security programs, policies, and procedures.
Your legal department (often alongside your CEO and board) is likely to determine the strategic approach your organization will take to address data-related risks. This includes how both current and upcoming legislation are expected to impact the policies and programs that govern how your organization operates.
Likewise, your security and IT departments should closely collaborate with the legal department to develop and operationalize privacy and security programs, policies, and procedures. Selecting and adhering to a framework will ensure alignment with industry best practices. That not only better positions your organization to address privacy and security risk like vendor alignment, but also manage partner privacy and security requirements on your own.
To confirm information about applicable laws and regulations is disseminated to all employees, you may also consider identifying a cross-functional leadership team to work with your legal department. Lastly, never forget that continuous training is critical as both your organization and the data protection and privacy legal landscape evolve.
Protect employee and job candidate personal data through a partnership with human resources and talent acquisition.
HR and talent acquisition departments are responsible to safeguard all personal data received from employees and job candidates. This includes typical job application fields such as age, address, and marital status as well as salary details and information collected during the interview and screening process.
When thinking about overarching privacy and security issues, HR and talent acquisition stakeholders need a regular outlet to bring forward transparency on current information collection processes and their use of technology. This way, they are prepared to navigate this evolving landscape and are aligned with your organizational objectives to proactively seek out risk mitigation.
To quickly comply with current and pending legislation, HR can likely repurpose their GDPR remediation plans to comply with the California Consumer Privacy Act and future privacy laws. As a reminder, another critical aspect of data protection and privacy compliance for HR and talent acquisition teams is the appropriate vetting and oversight of third-party vendors. As such, organizations must initially and continually assess all third-party vendors for activities such as background checks, resume parsing, and other activities that are involved in processing personal data.
Compliance burdens and responsibilities to secure personal will increase as your organization gains more access to it. At the same time, publicized data breaches continue to have mounting repercussions, like tarnishing brand reputations and heightening concerns among employees, consumers, and vendors alike. Therefore, your organization’s current and future success hinges upon the steps you take now to ensure compliance and mitigate privacy and security risks.
By Josh Torres
Josh Torres serves as corporate regulatory & privacy counsel at iCIMS, Inc. Torres brings more than 10 years of corporate law experience to iCIMS, including a highly regarded specialization in privacy law. Torres is one of a select few members to be named a Privacy Law Specialist (PLS) by the International Association of Privacy Professionals (IAPP), an exclusive designation that recognizes a select group of leaders that successfully demonstrate a knowledge of relevant privacy laws, regulation and technology; a commitment to staying ahead of new developments in the field; and substantial time devoted to practicing law related to safeguarding personal information.