Padlock icon on a computer keyboard representing data privacy. Companies have a responsibility to protect consumer data that they collect and use.

More people want data privacy rules. 

According to a 2019 report, 81% of consumers say they have become more concerned about how their data is used online, and 87% say they’ve come to believe companies that manage personal data should be more regulated. 

As individuals, many of us worry about our data privacy, but we’re still not very good at paying attention to the privacy notifications that pop up on websites these days. It would be a whole lot easier if we could all just own the rights to our personal data. But that’s a little more difficult than owning a house which is a physical thing. Data is intangible. We don’t actively give it to companies; companies collect it every time we visit their website, watch a YouTube video, like something on Facebook, or type a password into a login page.

All of this is to say that data is a tricky thing to manage. And because more people are worried about it, there’s been a larger push to regulate how companies collect, use, and protect it. 

What is your regulatory burden?  

Today, all companies that operate in the United States have regulatory (general business) requirements when it comes to the retention and practical use of data. But what are these requirements? And what kind of data are we referring to? 

In the United States, regulatory data requirements are enforced at the federal level, state-based level, and/or local level. The General Business Requirements mainly work with how long a company must retain certain records and information (for example, tax records). These requirements can also be industry specific (for example, HIPPA or GLBA are two prominent examples). All these types of regulatory requirements go well beyond just retaining the information, they dive deep into how to  protect and properly use sensitive information or data. And when we talk about ‘data,’ we mean both physical forms of data (like documents, deeds, and contracts) as well as digital forms. And it’s this latter category of data that poses greater concern for people or individuals.  

In the early to mid-2000’s, the federal rules for civil procedure were launched in the United States. And these rules and guidelines explored what this ‘regulatory burden’ looks like when applied to digital information and investigations or litigation. For example, how is this type of data produced? And how long do companies need to maintain it? If you’re familiar with the E-discovery (or electronic discovery) process, the federal rules for civil procedure are the same as the E-discovery laws. The E-discovery process is essentially a procedure by which parties involved in a legal case must preserve, collect, review, and exchange information in electronic formats for the purpose of using as evidence. These rules and practices were the reactive foundation for digital data responsibilities placed on companies.  Now, states are also developing and adopting data protection rules, laws, and guidelines that extend beyond this: general business requirements for data retention, industry-specific requirements for retention, protection and proper use, as well as civil procedure rules for investigations and litigation.   

 And what does this mean for your company?  Increasingly, businesses have additional regulatory burden to produce, maintain, store, and protect more kinds of digital information. The new rules are more specifically designed to protect consumers against unfair or deceptive practices (like a company’s failure to comply with their published privacy promises, failure to provide adequate security of personal information, or deceptive marketing methods) and to enforce standardized data protection laws. 

More power to the people. 

Thanks to emerging data requirements in the States, people are gaining more power over their personal data. Consumers receive an additional right to any information that a company possesses about them. That means they may have the legal right to request companies to remove or expunge their data and make it so that a company no longer has access to that information anymore. There are also steeper penalties for data breaches. Individuals must be notified within a certain period of time if their data has been leaked or put at risk. And these consequences mostly come in the form of fines.  

 Today, more people have access to data rights and protection across different States and industries than ever before, making it easier for individuals to take legal action against businesses in certain states if they are not complying with data protection laws. In fact, every State today is either currently building or adopting a protection guideline or rule around data privacy. The California Consumer Privacy Act (CCPA), for example, is one of the most robust State legislations out there pertaining to data privacy. Enacted in 2018 and due to be enforced starting on July 1 2020, it takes after the European Union’s GDPR requirements and its impact has been deeply felt. For example, large companies operating in the California economy are heavily focusing on CCPA because of the serious risks and responsibility introduced by the new legislation. 

What are the top 3 actions your company can do to remain compliant?  

As information comes into your organization, you are automatically obligated to have care, custody, and control over it—even if you end up doing nothing with that data. If you have it, you are responsible for it. So, to ensure that your company matures with data privacy or data retention laws, we recommend starting with these three things:   

1. Provide consumers and employees with a consent and disclosure form  

The first best thing your organization can do is be upfront about how you collect and use data and then ask a user’s permission to do exactly that. Transparency is key when it comes to managing someone’s data and it will create good rapport with users who now understand what the expectations are. You can provide consent and disclosure forms anywhere from email tags to website landing pages or pop ups.  

2. Define a data sensitivity scheme that works for your business

What information do you have? Where do you put that information? Building out an inventory of every piece of data and creating categories of sensitivity (is this data something highly sensitive?) is a great way to stay on top of all of your data and provide the necessary protections. For example, distinguish between what types of data are public and have low sensitivity vs. other kinds of sensitive data categories such as “employee sensitive,” “customer sensitive,” or “business sensitive.” Once you create a simple schema, the next step will be to map it to the data you already have today.  

3. Only collect, use and store the information that you need 

In order to know how to index and search for information, you need to map your sensitivity schema to the data that your company currently maintains. If you, for example, have backups of sensitive data, you need to know where those backups are stored. By having a legacy model of what information you have and where it is located, you are prepared to comply with any data inquiries and can start taking proactive action about what happens to certain types of data. Maybe certain types of sensitive information are no longer going to be put in this system. Or maybe you plan to delete your email after 90 days. Now you know exactly how each piece of data is processed and where it goes. 

Every company in the United States is probably at risk when it comes to federal and state-based data requirements. And the consequences for that risk are growing; now with these new privacy rules in place, individuals can more easily make a request for data being collected on them. And they don’t have to expend much money or energy to do that. As more and more digital information about customers and employees is exposed, companies are going to start seeing more regulatory oversight, including citations and litigations. So, in order to ensure that your company stays protected, it’s crucial to follow our 3 rules to better maintain and protect every piece of data in your possession. Another good practice is to also embrace better security solutions that prevent your company from falling victim to a data breach. 

How does Microsoft 365 or Office 365 suite help you stay secure?  

Both Microsoft solutions will enable you to protect your sensitive data that is stored inside those services. Microsoft uses GDPR as an example model given that it is the most comprehensive data protection law out there, but you can apply the same process for discovering, classifying, protecting, and monitoring personal data to achieve compliance with many other regulations.

For more information, read more in Microsoft’s Overview of Office 365 Information Protection for GDPRIf you have any further questions or concerns about data privacy, contact TechWise Group today.