Privacy Regulatory Trends: The Personal Information Explosion
Blog summary [5-minute read]
- The Pandora’s box of personal information
- 3 proactive steps to organize compliance risks
- Making time with new efficiencies
Read more below.
- Any other identifier that permits the physical or online contacting of a specific individual
- Information concerning a user that the website collects online from the user and maintains in personally identifiable form in combination with any of the above
Think of the technologies that now fall within those two categories. IoT devices such as smart cars, smart appliances, medical monitors, and personal digital assistants can now be hacked to track and contact individuals. How many companies are providing services through and have customer information tied to smart devices?
With the explosion of social media, online learning, dating apps, etc., think of all the types of personal information that websites gather online. Even with encryption and de-identification, the low cost of computing and the power of today’s AI increase the risk of all kinds of data being traced back to an individual.
To increase personal protections, subsequent laws in the U.S. and around the world have expanded definitions of personal information. For example, GDPR mentions information on a person’s “genetic, mental, economic, cultural, or social identity.” California’s new CCPA, effective January 2020, includes information about online activity, geolocation data, plus visual, thermal, and olfactory information. Other additions to the U.S. and global definitions in 2020 included more biometric data and unique keys used to sign or authenticate electronic records.
The more data that’s protected under privacy regulations, the greater the likelihood of reportable incidents. How can privacy teams and their organizations streamline incident response to stay in compliance?
A Proactive Approach to Compliance
Definitions of personal information are likely to expand as consumers manage even more of their lives online. And as businesses gather and use more personal and sensitive information, privacy teams will have to be proactive in helping their organizations manage compliance risks:
- Partnering with business functions: As businesses find more ways to gather and leverage customer information, privacy teams need to be involved in planning new products and data initiatives, helping ensure that personal and sensitive information is identified and information systems are architected to protect it from the start. It may even be possible to find alternatives to collecting personal information, as one franchise business has successfully done with its advertising.
- Data mapping for risk and incident management: As personal information has expanded, notification timelines have shortened. To meet notification deadlines, privacy teams need to ensure that data maps are created and maintained. When incidents occur, the team should be able to determine immediately the data involved, how it was protected, and the risks involved.
- Updating disclosure policies: Expanding data definitions have also created expanded requirements for disclosure. For example, as outlined by the National Law Review, the California Privacy Rights Act (CPRA) has two new disclosure obligations: 1) sensitive personal information must be included in the notice of collection to consumers, and 2) if sensitive personal information is used or disclosed for any purpose other than providing services or goods requested by the consumer, the business must notify the consumer of the intended use or disclosure, their consumer’s right to limit it, and an easy opt-out mechanism. GDPR has similar requirements but allows other uses only if consumers opt-in. Privacy teams will need to work with business teams to ensure that disclosures are kept up to date with regulatory requirements and presented to consumers as required.
Creating Time to be Proactive
In addition to the efforts described above, expanded definitions of personal information may increase the volume of incidents requiring assessment and the number that are determined to be notifiable. And different definitions in different jurisdictions will add to the complexity of incident assessment.
To ensure compliance while proactively managing new risks, privacy teams will need to find new efficiencies in routine work such as incident response. Data mapping should be a priority, as an accurate data map will speed incident assessment and risk analysis. Automation of incident response will also pay off in faster assessment and analysis. Look for tools with:
- An automated incident intake process that captures all the details you need to assess risks around different kinds of personal and sensitive information
- An intelligent legal engine that can assess current risks and requirements for regulations across multiple jurisdictions
- Data visualization, dashboards, and benchmarking make it easy to track where incidents are happening and what kinds of personal information are involved
People worldwide are demanding better living through digital technology, and–to beat another cliché–you can’t stop progress. But as new personal information springs up and multiplies out of every activity, from grocery shopping to health, proactive privacy teams can make sure new PI definitions don’t become their headache.
You might also be interested in:
Topics: Industry Trends