Emerging Data Privacy Considerations – GDPR, CPRA, VCDPA, and More!
As legislation continues to emerge regarding data privacy, data protection, and cybersecurity, it is more important than ever for companies to take steps to identify and safeguard critical private information of customers, vendors, and employees. Below is a sampling of emerging data privacy legislation:
- The General Data Protection Regulation (GDPR) – effective May 2018 – protects personal data of EU residents
- California Consumer Privacy Act (CCPA) – effective Jan 2020 – protects personal data of California residents
- California Privacy Rights Act (CPRA) – effective Jan 2023 – expansion of CCPA, introduces consumer rights and new business requirements
- Virginia Consumer Data Protection Act (VCDPA) – effective Jan 2023 – protects personal data of Virginia residents
- Colorado Privacy Act (CPA) – effective July 2023 – protects personal data of Colorado residents
- Utah Consumer Privacy Act – effective Dec 2023 – protects personal data of Utah residents
- China Personal Information Protection Law (PIPL) – effective Nov 2021 – protects Chinese consumer data, along with existing cybersecurity and data security laws
As the landscape matures, one thing is clear – companies need a universal data privacy and security framework to address the numerous requirements locally and around the globe.
Here are some key steps you can take to ensure your company is prepared to tackle data privacy compliance:
Step 1. Perform a Data Mapping
Identify personal data including types, locations, and security measures
Start by taking an inventory of systems, interfaces, and records. Tools can assist in the discovery process, or you might already have a spreadsheet, Configuration Management Database (CMDB), or another inventory in place. Once you have identified systems, you will want to define the types of data being stored or transmitted by those systems. Is it personal information of customers, vendors, or consumers? Is it encrypted or in plain text? These are the types of questions to document and answer
Step 2. Conduct a Gap Analysis Against an Established Framework
Look at data privacy requirements to see what is already in place and what’s missing
Identify the data privacy frameworks and regulations that apply to you. Where do you do business? Where are your customers or users located? Once you have identified the frameworks with which you need to comply, then you can perform a structured analysis to see where you have compliant procedures in place or where you have gaps.
Step 3. Develop an Action Plan and Roadmap
Create a remediation plan that includes a target date, owners, risk level, and actionable steps
It is important to identify action owners and timelines when addressing gaps identified during Step 2. You may need a project manager to drive the effort, and you will need ongoing monitoring and updates to ensure your team stays on track.
Step 4. Perform Necessary Remediation Steps
Address issues based on priorities such as highest risk or easiest win
It can be difficult to fill all gaps in a short amount of time, so you will want to make sure to remediate gaps according to a defined list, based on priority. For example, you may choose to implement fixes for the highest risk areas first, or you might aim to remediate the most areas in the shortest amount of time. The best approach depends on your business and your specific compliance needs.
Step 5. Conduct a Post-Remediation Assessment
Analyze whether fixes are working and how they can be improved
Some data privacy regulations require assessment as part of compliance, while it is simply good practice for compliance with others. Either way, it is extremely beneficial to perform an assessment of the environment after the majority of gaps have been corrected, so you can have a clear understanding of your compliance status and any additional steps necessary. It is typically best practice to use an independent third party when conducting this assessment.
The road to data privacy compliance can be challenging, with many questions along the way. And the consequences for non-compliance can be costly, including fines and penalties, negative media coverage, damage to a company’s reputation, etc. For example, GDPR has been widely enforced and has led to numerous fines, including some notable penalties below:
- Amazon – $877 million fine
- WhatsApp – $255 million fine
- H&M – $41 million fine
- British Airways – $26 million fine
If you are unsure how to achieve full compliance, our seasoned team of data privacy experts can help. Bridgepoint Consulting can guide your organization through each step of the process, including data mapping, developing and executing your action plan, and conducting post-remediation assessments. Learn how here.
By John Patrick
John has deep experience across a multitude of skill sets, including cybersecurity and data protection policies, procedures and best practices, IT audit, security, risk, and compliance.