For businesses that need to decide how much to invest in their data privacy projects, enforcement trends are a key piece of data. The main data privacy regulation affecting business the past several years was GDPR, and enforcement is only toughening. There have been more than $300 million in fines since the law went into effect. With new data privacy laws coming in California and other locations in the United States, data privacy projects remain critical work.
Many proposed new data privacy laws have similarities to the EU’s General Data Protection Regulation, so it’s worth taking a look at what that law requires:
• inform people why their data is being collected
• get people’s agreement to use of their data
• collect only the data needed for the agreed purpose
• use data only for the agreed purpose
• allow people to review and correct their data
• allow people to request deletion of their data
• store personal data securely
Companies that fail to meet the GDPR requirements are subject to significant fines; regulators have taken more than one hundred enforcement actions. Some of the biggest include:
• Google – €50 million
• H&M — €35 million
• TIM – €27.8 million
It’s worth noting that actual data breaches, i.e. security incidents, are not the primary cause of GDPR fines. Most fines are implemented due to failures of governance and policies that don’t limit the use of data once it’s collected. Other fines are due to failures to correctly inform individuals that their data is being collected and used; GDPR requires a sort of “informed consent” that isn’t met by burying details inside a lengthy statement of terms. The consent must also be active, so requiring users to opt out of data usage, although common, isn’t acceptable either.
Although not the primary cause, there are of course numerous cases where security incidents are the trigger for GDPR regulatory actions. The loss or misuse of data related to even a single customer has resulted in significant fines.
Future GDPR enforcement actions are expected to focus on companies’ failure to properly address data access requests and the inability to delete customer data. There’s also expected to be an increase in enforcement related to how third parties protect customer data shared with them.
Data Privacy Laws in the US
Many American businesses were affected by GDPR because they served EU customers, but other businesses in the US are only starting to feel the effect of data privacy laws due to new regulations in California. The California laws are similar but not identical to GDPR, requiring businesses to get customers’ permission to collect and use data. Other jurisdictions are considering their own data privacy laws.
As data privacy laws continue to spread across the US, businesses will need to take steps similar to those involved in preparing for GDPR. The primary tasks are to understand where the protected data exists and to ensure it is secured and not used without authorization.
Tools from Veritas help businesses discover the data they’ve collected and ensure it is managed in compliance with GDPR, the California Consumer Privacy Act, California Privacy Rights Act, and other data privacy regulations. Contact VAST IT Services to learn more about using Veritas tools to protect data and customer privacy.