Stay Ahead of the Growing Data Protection and Privacy Wave

Since the introduction of the European Union’s (EU’s) General Data Protection Regulation (GDPR), which has an expansive reach, U.S. businesses have faced comprehensive and unprecedented data protection and privacy considerations. When the GDPR became law, there were no such laws (federal or state) in the United States, and U.S. businesses questioned the GDPR’s applicability. Since then, U.S. states have taken it upon themselves to bring a wave of new data protection legislation, forcing U.S. businesses to consider the topic yet again—and this time it’s in their backyard.

Over the past five years, 12 new comprehensive U.S. state privacy laws have passed. And more are in the pipeline. Consider, for example, the influx of bills introduced recently—in 2018, only two bills on this topic were introduced, compared with the 59 introduced in 2023.

This wave is not limited to the United States; in recent years, at least 10 countries have enacted new laws or amended their current laws to take a more comprehensive approach. And the wave is likely to gain momentum: The IAPP 2023 global legislative predictions report expects parliaments around the world to continue introducing new legislation or building on existing legislation, and according to the United Nations Conference on Trade and Development, an additional 9 percent of countries have draft legislation on the table. Gone are the days when businesses (especially in this interconnected world) can ignore comprehensive data protection and privacy laws without placing a certain level of risk upon themselves.

How should corporate treasury, finance, and risk managers navigate this ever-changing data protection and privacy landscape? Here are seven pitfalls that businesses commonly fall into.

1. Pushing it off until “another day.” Sticking your head in the sand is not the best approach. If these laws do not yet impact your business, it is only a matter of time before they will. Becoming compliant doesn’t happen overnight. But the upside is: If a business has started making real efforts toward compliance, enforcers have thus far been less likely to “throw the book at them.”

However, it’s important to note that, as time passes and businesses have time to get their processes in order, enforcers’ compliance expectations will increase. Not only can civil penalties for non-compliance add up quickly—U.S. state civil penalties range from $2,000 to $20,000 per violation—but consumers care about how a business handles their information. A 2023 IAPP privacy and consumer trust report found that nearly 68 percent of consumers are either somewhat or very concerned about their online privacy.

2. Avoiding the rules because they’re “B2B” businesses. Generally, it is true that the protections and rights under these laws apply primarily to consumers, but in at least one state the protections also apply in commercial and employment contexts. Not to mention, their reach is expansive.

B2B businesses must consider, for example, what and whose information their website collects and analyzes; how customers use their products or services; and what requirements they have with their customers or vendors. Once you complete this exercise, you may be surprised to find just how much of an impact these laws have on your organization.

3. Ignoring requirements because they don’t do business in the states with this comprehensive approach. A business need not be based in a state to be impacted by its data protection and privacy laws. For example, a company’s website may track and collect information on visitors who live in other states (or other countries). Likewise, through interstate commerce, a company may do business in a state with such laws; it may engage in cross-border data transfers (i.e., it may move data between the United States and the EU); or it may have contractual obligations with vendors or customers in a geography with strict data-privacy laws.

4. Deciding to just “wing it.” Unlike the businesses that push compliance efforts off to another day, some companies have no plan for implementing compliance processes at all. Instead, their plain is to “wing it” if and when they receive a data subject request or questions from a customer or enforcement body.

Understandably, we all get inundated with buzzwords like “data collection and sharing,” “opt-in” or “opt-out” consent, “data minimization,” and so on, but it’s important not to underestimate the heavy lift that comes with executing these tasks. According to the Transcend 2022 state of data visibility report, the amount of data that a business manages has increased at least tenfold in recent years. Couple this with the fact that about two-thirds of businesses do not have an accurate picture of the data they hold (according to the same Transcend Report) and you begin to see the problem: A business cannot possibly know what data it has, why it has it, or where it has it, let alone ensure that the illegal data is deleted. So it is nearly impossible for businesses (which continue to collect more and more data) to “wing it.”

5. Failing to incorporate data privacy considerations in product design. Data protection and privacy laws cover personal data regardless of where it lives. For many businesses, privacy considerations are not part of the product-design process. But for companies that offer products which control or process personal data (e.g., “smart” devices, SaaS providers, etc.), this presents a problem. They do themselves a disservice if they don’t pause to consider the potential implications these laws may have on the data their products collect, store, or manage and their customers’ use of that data.

6. Ignoring the risk of rogue vendors. Data protection and privacy laws apply not only to a business’s own operations, but also to data processing and handling by its vendors. This requirement can include specific contractual obligations, auditing rights, and so on. So, a business must pay attention to what its vendors are doing and include appropriate obligations in its contracts.

7. Assuming the organization is too small to be impacted. Many data protection and privacy laws exempt businesses that do not meet certain thresholds—e.g., minimum revenue amounts, percentage of revenue from sale of data, etc. However, that is not the end of the analysis. In many cases, data-protection requirements may find their way into other aspects of even the smallest business, including through contracts with other entities that must comply or as a “processor” of personal data.

So, how can you and your organization best navigate privacy compliance efforts in our interconnected and data-driven world? First and foremost, you need to undertake data mapping. It is fundamental in executing key compliance tasks like processing data-subject requests, minimizing and retaining data appropriately, identifying risky data processing, assessing data risk, and navigating new regulations by way of gap analysis.

Secondly, your company needs to recognize that compliance is a team effort. The right players must be on the team for your business’s compliance efforts to be successful. Legal and compliance, IT, and security, as well as representatives from the sales/marketing and operations teams should all be involved in the discussion.

Finally, you do not have to reinvent the wheel. Businesses can leverage existing standards and frameworks to help establish processes and overall privacy compliance (e.g., ISO 31000, ISO/IEC 27557, NIST Privacy Framework, and U.K. Information Commissioner’s Office Accountability Framework).

While the complexity and scale may vary, all businesses that process personal data must wrestle with data protection and privacy risks. The above tips provide a few basic steps to help jumpstart a business’s compliance processes to identify, quantify, and prioritize risks that emerge in this ever-changing data protection and privacy landscape.

P.S., a large elephant that has recently entered the data protection and privacy room is artificial intelligence (AI). AI can be leveraged to help accomplish privacy compliance requirements but presents its own set of challenges when used by a business in its daily operations. Suffice it to say, proceed with caution.

Nicole M. Danner is an associate with Wisler Pearlstine and a member of the firm’s business, corporate, and tax and data privacy and cybersecurity practice groups. She focuses her practice in the areas of commercial contracting, data privacy and security, corporate governance, emerging regulatory issues and risk avoidance, and other general business needs. To learn more, visit www.wislerpearlstine.com.

From: The Legal Intelligencer