When the European Parliament and the Council of the European Union implemented the comprehensive General Data Protection Regulation law to improve data protection and privacy throughout Europe in 2018, many Arizona business owners didn’t think it applied to them.
But if they do any business in Europe, it does; and with California and Virginia passing similar laws and consumer privacy laws proposed in Arizona and many other states, businesses can no longer afford not to examine their data privacy practices and prepare for a potential federal privacy law.
To avoid severe consequences, companies must take the following actions to reassure customers that their information is kept secure:
Create and/or update privacy policies. Required by law to keep information about consumers located in California, Virginia and European countries secure, organizations must have a privacy policy that outlines how they do so. Policies must address what information they collect, how they collect it (whether a consumer enters it directly on a website or it is indirectly captured through Google Analytics, location data, microphones and cameras or other sources), what they do with it (including when they disclose and to whom) and how long they keep it.
The template policies many companies use are fine as a starting point, but companies must ensure what they say matches what they actually do. Failure to do so can result in lawsuits or FTC enforcement actions, including large fines and burdensome settlement agreements.
Companies following best practices make their privacy policies easy to access through a footer on their home page.
Establish data mapping protocols. Data mapping examines all the data a company collects, where it is located and what is needed. What types of information does the company have? Where does it live and who has access to it?
Contrary to popular belief, responsibility for data mapping does not rest solely on the IT department; in fact, it’s important to include representatives from compliance, security and, especially, marketing. Effective marketing departments gather tremendous amounts of data from direct marketing campaigns and ads — information that, although beneficial, definitely needs to be addressed. Because each of these departments has a different slice of the information and uses it in different ways, it’s imperative that they all be involved in developing the company’s protocols.
The data-mapping team needs to consider information from any source, including websites, apps, phone calls, in-person conversations and lists purchased from third parties. Likewise, data mapping needs to account for the many types of devices collecting information. For example, medical companies need to include MRI machines, insulin pumps, IV pumps and more. Healthcare companies and others with especially complex data-mapping needs may wish to bring in an outside consultant to ensure they address everything properly.
Minimize data collected and keep only what is needed. The privacy laws already in effect in California, Virginia and Europe give consumers the right to see what information a company has about them, including getting a copy of the information. Additionally, consumers have the rights of deletion and correction, requiring companies to delete or make changes to inaccuracies when requested. Doing so is complicated, especially when data is spread out over numerous systems and backups, not to mention vendors like cloud-storage providers and accountants.
Because consumer information is everywhere, and collected in so many ways, companies can reduce fallout from breaches by collecting and keeping the minimum necessary information for the least amount of time possible. Too often, when breaches are discovered, companies find the information that was compromised was old and unnecessary. Establishing and following a document-retention policy helps companies improve data minimization.
Business needs and legal requirements vary, but all companies can enact measures to review and delete old information. For electronic data, they can set up systems to report and delete files older than what they are legally required to keep. Physical data requires a manual review, but those responsible for conducting them can set calendar notices for periodic review and deletion.
Where the Momentum Is Headed
Although existing consumer privacy laws grant exceptions to industries like healthcare and finance and to other companies based on their revenue, passage of additional laws — including a federal one — is on the horizon. The movement is gaining critical mass and Arizona companies serving consumers in California, Virginia and Europe are already vulnerable. Knowing that Arizona and federal laws are coming, companies must start preparing privacy policies, mapping data and practicing data minimization to protect themselves.
Coppersmith Brockelman’s Scott Bennett is among the state’s leading attorneys representing hospitals and healthcare providers. His knowledge about data privacy and security, especially where it comes to HIPAA and protecting sensitive healthcare information, helps companies comply with the complex web of federal and state laws and regulations.
Did You Know: According to IBM, the average data breach costs businesses $3.92 million and takes almost a year to detect and contain.
Speak Your Mind
You must be logged in to post a comment.