The passing of regulatory compliance data privacy laws such as the GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) has been cause for many companies to stop and rethink their data policies. And for good reason: fines for noncompliance can put many companies out of business.
By January of 2020, there were already $126 million in fines imposed by the EU under the GDPR. The California Attorney General started enforcing the CCPA on July 1, sending notices requiring companies to cure the violation within 30 days, or risk fines of $2,500-$7,500 per consumer, per violation whose data privacy rights were violated.
While these laws may seem like a nuisance to operating your business, the intent is to protect consumers and their data. In just the first half of 2020, there have been over 163 million people impacted by data breaches.
Don’t expect GDPR and CCPA to be the only data privacy laws that will be passed. Other U.S. states and countries are looking to implement similar policies. Brazil’s LGPD went into effect February of 2020 (but don’t worry, you still have some time to become compliant for this one if needed). What do you need to do to improve your regulatory compliance in 2020?
Every year, we see countless instances of data leaks and exploitations, resulting in millions of people impacted by having their data compromised. The spirit behind recent data regulation laws is to protect consumers and their data. Companies are frequently requesting data from their customers that is not really necessary for their products and services.
For example, in the case of SaaS companies, it may be unnecessary to request a customer’s physical address, as an address isn’t needed to deliver your software. One of the first steps in improving your compliance for these regulations is to assure you are only requesting the absolute minimum required information from your customer. If you can register accounts with just an email address, for example, don’t ask for a phone number.
You may find that there are multiple places or processes where you are requesting non-essential data from your customers. Be sure to audit each and every one and whittle down the requested information until you are at the minimum. This will help not only with compliance but also with minimizing data storage costs.
A main component of regulations such as GDPR or CCPA is a consumer’s right to know what data a company stores on them, as well as the right to have that data be forgotten. Customers can submit a DSAR (Data Subject Access Rights) request, and companies have 30 days for GDPR, and 45 days for CCPA, to respond.
If your company is not prepared to handle DSAR requests and you miss this deadline, there can be hefty fines imposed that could be extremely detrimental to your business. To prepare your company and stay in compliance, it is vital that you have a clearly defined process for handling these requests.
First, make sure you have assigned team members to handle DSAR requests. You will want to make sure that it is clear who is ultimately responsible for responding to requests.
Next, make sure you have a clear process for your customers to request this information. Don’t bury the email address in your legal terms of service. Make it easy for customers to find where they can send DSAR requests or create an online form to ensure that you are not hit with any fines or complaints.
Make it clear where the necessary data is stored and how it can be accessed by those needing to respond to consumers. The last thing you need is for a data engineer to have to get involved to scour a database for you. This should be a straightforward and simple process, and a data intelligence tool can help make this easy for any level of user, from IT to legal or compliance roles.
Lastly, make sure your team knows how to relay this information back to the requester. You will want to convey the data in a secure manner so that it isn’t compromised during transfer.
It’s possible that you currently house more data than you realize. As companies have grown, we have seen that data systems become siloed, and it can be hard, if not impossible, for you to know what data you have and where it is stored.
To remain compliant, you must know not only what data you have but also how and where it is stored. Data should be accurately classified and structured in a way that is logical and simple for your teams to navigate through.
If your business is fairly new and you don’t have terabytes and terabytes of data already stored, take the time now to structure and map your data correctly. Don’t store data under erroneous names that only make sense to a handful of people, but instead have a clear naming convention that doesn’t require a 40-page document of definitions.
For larger well-established companies that already have dozens or hundreds of terabytes—or even petabytes—of data, a data intelligence and automation platform can help you find the files you need, apply classification tags, and streamline compliance, even if that data is dispersed across many storage locations.
As mentioned, we believe we are just seeing the beginning of regulations around data privacy and protection. As more and more businesses go online every year, data is growing exponentially. As you are getting ready for next year, think now about how you will regularly audit your data policies and processes. This cannot be a one-and-done event, as these laws will evolve and grow, as will your company and your data needs.
If your organization has a large amount of stored data that will be complex to audit, take time now to plan how to tackle that as soon as possible. You don’t want to be caught out of compliance before taking the necessary steps.
These data protection laws are in place to do just that: protect consumers and their data from nefarious breaches. It is the responsibility of organizations to take care when requesting and storing data of customers in their systems.
There are things that can be done right away to improve your compliance with these regulations. If your organization is struggling to manage your data, Aparavi has solutions that put you in control of your data. Contact Aparavi today and learn more about our data compliance solution.