Proactive Privacy: How to Prepare for Upcoming Privacy Legislation

This is a guest post from Dr. Heather Mark over at Sphere. Heather oversees internal compliance and security, building on the strong foundation to mature and evolve the program. Previously, she served in various senior leadership roles, most recently at a wholly-owned subsidiary of a global payment processor, card issuer, and merchant acquirer.

Proactive Privacy: How to prepare for upcoming privacy legislation

The California Consumer Privacy Act—or, as it’s been dubbed by many, “GDPR Lite”—marks the first time the US has really dealt with legislation solely focused on the protection of privacy.  While privacy has been addressed in legislation (HIPAA Privacy Rule, GLBA Privacy Rule), it’s typically been confined to specific industries (healthcare and finance, for example).

The CCPA more broadly deals with the requirements of fairly dealing with personal information in that it is not tied to or targeting a specific industry.  Its target is any company doing business in California. 

What’s more remarkable about the CCPA is that it marks a sea change for US privacy regulation.  Tired of waiting for an omnibus federal law that has seemingly been in the works for decades, state legislatures are taking the initiative in addressing the appropriate use of personal information.  Since 2018, 11 states have proposed new legislation and three (California, Nevada, and Maine) have passed bills into law.

With all of that momentum, it can be difficult for an organization to know what steps to take first.  But here are 5 steps that organizations can take to be ready to address forthcoming laws, regardless of what state they’re in.

Data Flow and Categorization

It sounds cliché, but you can’t protect what you don’t know you have.  So the first step that is typically suggested is doing a data flow or data mapping.  This helps you to determine where the date is coming from, how it’s being used, and who you might be sharing it with.  You may find that you’re collecting more data than you need, or that you’re sharing it with vendors that don’t need it. 

Limit Collection of Data

Another old axiom in the data security and privacy business is “don’t collect what you don’t need.”  To put it simply, it’s difficult to disclose or inappropriately use data that you don’t have.  Once you’ve done a data mapping exercise, you can review this with your team to determine which data is strictly needed as opposed to “nice to have.”  Moreover, many of the fair information practices are built on the notion of only collecting the data that you need to complete transaction with the individual. 

Disclosures

Transparency with your constituency about what data you’re collecting and when, and how it’s being used is one of the simplest, but most important, steps that can be taken with respect to privacy.  Visitors to your site, and consumers of your product or services, can’t make informed decisions about sharing their data if they don’t understand how that data might be used. Providing clear and concise information about your information practices helps to engender trust and stands you in good stead with legislative privacy regimes.

Awareness and Training

In today’s economy, most of our businesses and nonprofits run on data.  Whether we intend to or not, we become dependent on data transmission, data analysis, data storage, and data collection.  That means that everyone in our organization is going to come into contact with personal data at some point.  Given that fact, it’s important that your team knows what data is considered sensitive, and how that data is to be treated. An important part of training, that can be easy to overlook, is how to report a potential incident.  For example, what should be done in the event that someone has emailed a payment account number? 

Partner Agreements

Organizations enter into partner and vendor agreements on a frequent basis. Such relationships, whether intended or not, act as implicit endorsements of our partners and vendors.  Our customers, donors, and other constituents expect that our partners and vendors offer the same level of protection for data that our own organizations do.  Additionally, these partners may have access to data that requires protection.  For these reasons, it’s imperative to have a strong vendor or partner due diligence process that includes an evaluation of privacy and security practices. 

Conclusion

The privacy landscape in the US is undergoing rapid change.  Legislation is being proposed and passed at an impressive click.  Further, greater levels of public awareness of privacy practices means greater levels of scrutiny for organizations that collect or store personal information.  Fortunately, there are some common tenets for privacy practices that can allow organizations to develop and implement proactive privacy programs to protect their vital information assets. For more information on privacy frameworks that can help you address forthcoming legislation, you can visit these resources:

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Privacy by Design: The 7 Foundational Principles

Generally Accepted Privacy Principles

Want to learn more?

This guest post touches on a few steps you can take to keep your donors’ information safe. If you want to learn more about legislation like the CCPA, why donor data privacy is important, and how you keep your donors’ information safe, we can help!

Watch our free webinar with Heather Mark! She oversees internal compliance and security at Sphere, and she has a knack for explaining data security best practices in simple, accessible terms. Her webinar will cover steps you can take to keep your information safe, how to build proactive privacy policies, and more!