A Brief History of Privacy Regulations
“We are all now connected by the Internet, like neurons in a giant brain.”
– Stephen Hawking
In the mid-1990s, following hospitals’ adoption of electronic and internet-based health records, Congress first took steps to protect individuals’ data privacy and security by enacting the Heath Insurance Portability and Accountability Act (HIPAA).
Fast forward 20 years and we live in an era of data deluge where individuals are easily identifiable by countless digital interactions primarily on smart devices. It only takes a quick Google search to see how organizations violate individuals’ data privacy on a daily basis. Governments around the world are now scrambling to protect the privacy of individuals by enacting new or modifying existing laws in today’s highly digital world. The European Union’s General Data Privacy Regulation (GDPR) and the recently enacted California Consumer Privacy Act (CCPA) are a result of this push to protect individual privacy rights.
“Nothing travels faster than the speed of light, with the possible exception of bad news, which obeys its own special laws.”
― Douglas Adams, The Hitchhikers Guide to the Galaxy
Thanks to social media, news of data privacy violations travels fast and far, quickly tarnishing a company’s reputation for failure to protect user data. To protect their organizational integrity, it is imperative that companies make data privacy a top priority.
Privacy laws have significant impacts on how companies do business. Companies face severe monetary and operational penalties for non-compliance. For example,
- GDPR provides no ceiling for civil damages and a ceiling for regulatory penalties of €20m or 4% of global revenue, whichever is greater.
- CCPA imposes a limit on civil damages for security breaches of $750 per consumer incident and a regulatory limit of $7,500 per intentional violation with no overall ceiling.
Regulatory risks are no longer confined to Financial and Healthcare industries. They now affect every business that collects, stores, processes, shares, or sells individuals’ personal information.
The Rights and Requirements
"A body at rest will remain at rest, and a body in motion will remain in motion unless it is acted upon by an external force." – Sir Isaac Newton’s first law of motion
Despite variations in scope, application, and enforcement, GDPR and CCPA share common broad requirements and overarching goals. Both laws endeavor to grant consumers greater awareness and control of the data collected about them.
- Notification – In general, organizations are required to notify consumers to whom their data is sent or sold and the purpose of processing. GDPR also requires organizations to disclose how long they retain consumer data.
- Request for Personal Data – These laws grant consumers the right to request access to their collected personal data at any time. CCPA limits access to data collected over the prior 12 months, while GDPR does not set a time limit.
- Consumer Consent and Opt-Out – GDPR prohibits processing of personal data without prior consent from the consumer. CCPA does not prohibit collection or processing of personal data but does prohibit the sale of personal information if the consumer has opted out of such sale.
- Deletion – Under these laws, consumers have the right to request that their personal data be deleted.
- Correction – GDPR provides the consumers the right to correct errors in personal data. CCPA includes no such provision.
- Data Security – GDPR requires companies, where appropriate, to encrypt and pseudonymize data. CCPA does not provide specific requirements for data security but allows for consumer damages for any unauthorized breach.
Each right granted to a consumer through GDPR and CCPA requires organizations to better understand and control their data to fulfill their obligations under the law. A holistically developed data management framework is critical to complying with these and future data privacy laws.
"Some people don't like change, but you need to embrace change if the alternative is disaster." – Elon Musk
Data privacy regulations impact all aspects of a business: Organizations must put in place processes to handle interactions with customers for privacy requests, create new internal roles to handle interactions with regulators, and train personnel on the latest rules.
Broadly these laws have three types of impacts on an organization:
- Operational Impact – How would you do business differently to comply with the privacy laws?
- Technology Impact – What technology changes and new capabilities are required to enable compliance and minimize regulatory and reputational risk?
- Organizational Impact – What new roles and resources need to be identified to enable data privacy?
"The significant problems we face cannot be solved at the same level of thinking we were at when we created them." - Albert Einstein
Data officers should take a holistic approach to manage the impacts of data privacy regulations and avoid the piecemeal duct-taping of existing processes. These new compliance requirements provide an opportunity for organizations to assess other data needs and create better data management practices.
To make informed analytics-based decisions, organizations need to have high quality customer data. To ensure data quality, organizations need to have good data management functionality, including proper Master Data Management (MDM) practices like data governance. Find more information about Master Data and its management here.
Data privacy laws are in the formative stage, with many changes and iterations to come. These laws are here to stay and will impact how organizations do business in today’s digital world. Understanding how personal data is managed, assessing impacts, and implementing flexible data management practices can help alleviate regulatory and reputational risk and allow your organization to succeed.