January 28th is Data Privacy Day – an annual, international event to promote privacy and data protection best practices for both consumers and businesses.
Here at Octillo, every day is Data Privacy Day. Our premier team of highly skilled attorneys and technologists work with businesses day in and day out on all things data privacy. With our unique experience and expertise, we assist clients to build out privacy and data security compliance programs from the ground up, responding to headline-making national and international data breaches and cyber incidents, navigating the wide range of state, federal, and international regulatory regimes, and so much more.
For this year’s Data Privacy Day, we put together a list of the top five things that businesses can start thinking about when addressing privacy in 2022:
1. Data Rights and What They Mean for Your Data Management
The European Union’s General Data Protection Regulation (GDPR) comes with, amongst many other things, a number of data subject rights, including the rights to access, rectification, erasure (otherwise referred to as the “right to be forgotten”), restriction of processing, data portability, object, and not be subject to a decision based solely on automated processing. At the domestic level, the California Consumer Privacy Act (CCPA) also includes its own set of data subject rights, including the rights to access, opt-out of the sale of personal information, and deletion. The upcoming California Privacy Rights Act (CPRA), which amends and expands on portions of the original CCPA, adds the right for consumers to limit the use and disclosure of sensitive personal information. Both Virginia and Colorado enacted their own comprehensive privacy laws set to go into effect in the next 18 months – each with their own sets of data subject rights.
As 2022 progresses and as 2023 approaches, businesses should stay up to date with upcoming privacy laws and their respective data subject rights. In addition to data rights included in the aforementioned regulations, consumers in 2022 are increasingly invested in what companies are doing with their data. Developing and implementing data access request procedures is both a step towards compliance with privacy regulations and a way to demonstrate that your organization values consumer privacy.
2. Data Mapping
From a regulatory compliance standpoint, obtaining a complete and accurate picture of your organizational data landscape is essential. Part and parcel of compliance with major, comprehensive privacy laws, such as the GDPR and the CCPA/CPRA, includes determining the scope and flow of data into and within your organization. For example, from whom is personal data being collected? And to whom is that personal data going? What categories of personal data are being collected? When is it being collected? For what purposes is that personal data being collected? And where does it sit within the organizational infrastructure?
Data mapping is an extremely useful exercise for a business to understand its own data flows. In 2022, as privacy law continues to develop on both a national as well as an international scale, businesses should take the critical step to develop a data inventory and a data map.
3. Governing Your Privacy
Developing a privacy compliance program is important, and so is implementing those privacy policies and procedures into your daily operations. What does it mean to “govern your privacy”? After understanding data rights and mapping your data, the next step in the process is taking proactive measures to understand your privacy requirements and implementing data governance principles to comply with applicable laws and regulations. Data governance refers to an organization’s ability to understand its data flows and stakeholders, to handle data effectively and properly at all points of the information lifecycle, and to develop access privilege controls and accountability measures. In 2022, consider data governance principles when assessing how to protect and handle your data to comply with the major, comprehensive privacy laws.
4. The Good, Bad, and Ugly of Cookies
Another key consideration for businesses is their website’s cookie consent banner. For example, in the first week of January, France’s data protection authority (the CNIL) announced fines against Google and Facebook for €150 million and €60 million, respectively, for failures to make the rejection of cookies as easy to do as the acceptance of cookies. These fines follow on the heels of the CNIL’s November 2021 guidance, in which it reminded businesses that users must be able to “choose freely and in an informed manner to be the object of a tracking not strictly necessary for the provision of the requested service” and “to refuse such tracking.” Businesses should anticipate cookies and online data tracking to continue to be an area of focus for regulatory authorities and should take care to ensure that cookie consent banners are compliant with the varying applicable laws.
5. Annual Review of External Website Disclosure Policies and Notices
Businesses that are subject to the CCPA are required to update their privacy policies “at least once every 12 months.” Not only is an annual review of external website disclosure policies and notices required, but such a review presents an opportunity for a business to take stock of their data collection and processing practices and to ensure that any policies or notices reflect current activities. Furthermore, the privacy landscape is constantly evolving. New laws and regulations enter the playing field, while updates are made to existing ones. The four above-mentioned considerations can help businesses prepare for an annual review of privacy policies, and the review itself can help businesses stay up to date with current data practices and legal developments.
Conclusion - Data Privacy Day
In the spirit of Data Privacy Day, we hope that you take the time to think about how privacy impacts your business, and key data privacy and security consideration for 2022. Given that privacy compliance is a constantly evolving and long-term endeavor, we hope that you continue to engage with data privacy beyond Data Privacy Day. Octillo attorneys are committed to providing updates on relevant legislation, current threats, and proactive data security steps.
*Attorney advertising – prior results do not guarantee future outcomes.