Brands have long walked a delicate tightrope between tracking for commercial purposes while ensuring the privacy of the data is compliant with a hodgepodge of regulations. Now, could the changes of the last few months be what America needs to finally enact a national privacy law?
Data Protection
Certain types of personal data are very valuable to criminals, and can be very damaging to an individual or business if it falls into the wrong hands. As the world becomes more digital and more connected, more of this sort of data is generated and passed between various sources on a regular basis.
Government regulations and supervisory authorities aren’t just about keeping irresponsible parties in line. They also provide vital security guidance to every type of organization that handles sensitive personal, business or government information.
Data protection regulations also ensure that the end user has a transparent view of and a say in the processing of personal data. These safeguards play a significant role in everything from the preservation of civil rights to ensuring that democratic institutions function properly.
Some types of personal data are clear candidates for regulation: medical records, banking information, national ID numbers and so on. But some of these regulations also cover items that might seem relatively innocuous at first glance: home addresses, email addresses, website profile information and so on. For example, the European Union General Data Protection Regulation (GDPR) has stipulations about anything that is unique to an individual to include phone numbers and social media accounts. People have varying levels of privacy preference with these items, but they are often protected by regulation because they can be used for targeted scams and attempts at identity theft.
Given that regulations often take the size and customer count of businesses into consideration in terms of penalties and the scope of protection of personal data, compliance is particularly important for enterprise-scale organizations. You do not necessarily have to have an active business presence in a country or region; simply storing data on or moving it through servers there may subject you to their data protection rules.
With GDPR making headway in regulating data privacy at an international level, many U.S. states are following suit to pass their own laws and bills to protect consumer’s personal data.
The GDPR has influenced the future of corporate compliance at a global level. As we see the CCPA, the USCDPA, and bills in other jurisdictions like India and Brazil being passed, it is evident that all companies soon will be required to comply with some consumer data privacy measure.
The EU GDPR signals a move towards a technology-based approach that can enforce data protection policies for personal data. What’s the solution?
Business leaders around the world are reconfiguring their strategies to prioritize data protection and management. As the world becomes increasingly digitally connected, dependence on cyber safety and consumer trust only becomes more important. Technology continues to develop in complexity, as do our methods to mediate it, but it’s imperative that we don’t forget the human side of risk, too.
As the CCPA comes into effect in the new year, we should prepare to see stricter regulations unfold both in the US and at a national level. Companies hiring for the CISO role must ensure candidates are informed of the legal expectations and are up to speed with protocols for security incidents.
Facebook password leak has exposed up to 600 million user's plaintext passwords to company employees. And this appears to have been ongoing since 2012. Will this add more fuel on the antitrust fire?
So what does a GDPR data protection officer need to know to step into this role and be effective? The job will need some significant experience in both IT and risk management at minimum and also other ancillary skills that are important to success in the role.
Even though NYPA has failed to pass legislation, all is not lost for data privacy as the introduction of Dashboard Act will require commercial data operators to disclose and assess the value of data collected from users.
The Ohio law represented a novel approach to data protection by providing safe harbor if the entity’s cyber security program conforms to industry recognized cybersecurity frameworks or federal regulations cited in the Act.










