In the final installment of a three-part series exploring regulation at the turn of the year, our friend Alex Reynolds, Counsel at Davis Wright Tremaine, joined the collective to discuss what privacy officials learned from 2020 and what to expect for privacy regulation in 2021.
If you haven’t seen or read the previous features from our series, catch up here:
- Read part one: The Privacy Regulatory Landscape in 2020
- Read part two: 3 Key Trends for 2020 Data Breach Regulations
- More of a movie buff? Watch the webinar here.
Ready? Let’s dive in!
What’s Coming in 2021?
Looking ahead, the momentum privacy laws gained from the past two years shows no sign of losing steam. With a focus on how privacy is affected by remote workforces, organizations are racing to explore history’s largest work-from-home experiment and a few themes are emerging that could shape the privacy landscape in years to come.
Some likely drivers in privacy regulation include:
- Adoption of omnibus data protection bills at the state and international level
- Biometric and facial recognition, as evidenced by several state and even local regulators
- IoT security regulation, which saw recent POTUS involvement and will require national standards for reporting and guidelines of companies who employ IoT devices and services
- Individual privacy rights and how citizens can enforce privacy laws against organizations
If your organization struggles to determine where to allocate resources between current and upcoming regulations, Alex suggested a few key data points to help identify priorities.
Key relevancy indicators include:
- Identifying if a law has a cut-off for gross revenue or size which may not affect your organization
- The type of data being affected
- Consulting your data map to know what you’re specifically processing relevant to regulations
New American Regulation
The question remains if the United States will draft federal regulation, though the community consensus seems to desire such.
Alex posits that data privacy laws will continue gaining momentum through this year and will likely carry us through 2021 with a multitude of new regulations being discussed, written, and possibly passed. As far as a roadmap goes, at least 30 states in the US passed statues that were on the table for 2020, but a vast majority of planned new regulations did not pass amid disruption from COVID-19, among other factors.
This leaves a huge opportunity for these laws to be resurrected in 2021 which will impact organizational roadmaps for data governance, cookie controls and updated guidance.
What’s Trending in International Regulation?
With an increasing number of regulations taking shape at the state, federal, and international level privacy leaders are facing an increasingly fragmented legal landscape.
In the case of how Brexit will impact the new UK-GDPR and international compliance, there will be some crucial, practical changes that come with the transition.
As of next year, UK-GDPR will be effective and organizations will need to understand the difference between the European and UK economic area as it pertains to managing and transferring data. Breach notification will be impacted as well, given that the ICO will no longer be able to act as the lead supervisory authority under the GDPR. Organizations that carry out cross-border processing will need to consider which EU and EEA supervisory authority will become their lead authority.
In Canada, a bill is in progress that will update national regulation of consent, data subjects, and individual capability to access data. Bill C-11, which would enact the Consumer Privacy Protection Act (the CPPA) and repeal relevant provisions from PIPEDA, would impose harsh penalties for non-compliance. We’ll be keeping a close eye on this one, and reporting back as it develops.
Steps You can Take to Prepare for 2021
Privacy requires larger upfront investments than some other departments. As leaders look to the competitive and compliance landscape, replete with rapidly changing regulations, it can be easy to feel overwhelmed.
As with state and international regulation, preparation is key:
“The biggest takeaway from 2020 and the worldwide pandemic response has been that organizations who invested in privacy and were prepared to mitigate new regulations reaped the benefits of their foresight.” -Alex Reynolds
Finding new ways to create efficiency in your incident response and privacy management will pay off across the board. Here are some steps to take to position your privacy management for success in the new year:
- Start by listing every business process, product, or service you use that implicates personal information in some way using the broad interpretation of PII.
- Figure out where that data resides physically and logically. Using an AWS bucket? How about a service provider? Log it so you have a sense of where it comes from, where you store it, and where it’s going.
- Answer the questions to assess their relative criticality:
- What are your sources of info relevant to that business process?
- What are you using it for?
- Who are you disclosing it to?
- What is the status of that recipient?
- Leverage third-party software, which can organize this information for you.
No matter what laws a state may pass, with a well-considered incident response and breach notification strategy in place and the appropriate resources to navigate complex compliance laws across jurisdictions, compliance teams will be able to streamline work and keep their organizations agile for navigating new regulations in years to come.
Luckily, new tools are emerging to provide better capacity for organizations to deal with their myriad, ongoing responsibilities in parallel with managing incidents. As technology advances, more and more time will free up for professionals to mitigate risk in their organization and improve efficiency of their privacy team.
Webinar: Trends in Evolving Data Breach Regulations: The Year in Review
Report: Benchmarking Privacy Incidents 2020
Free breach law library: Breach Law Radar