The past, present and future of privacy—and how you should prepare
INSIGHT ARTICLE |
We are witnessing a sea of change in the risks companies take on when processing personal data. Historically, companies have focused on securing their own crown jewels—a task made increasingly difficult with the advent of cloud and mobile computing, the internet of things and the general disappearance of the traditional network perimeter. However, while that task is difficult, it is dwarfed by new challenges to protect data that belongs to individuals—consumers, for example—and ensure it is not only secure but also handled appropriately.
In this new security and privacy era, companies are liable for significant penalties even if no data breach occurs. Simply mishandling consumer inquiries can trigger regulatory action. Many organizations remain unprepared for the EU’s General Data Protection Regulation (GDPR), while the recent California Consumer Privacy Act (CCPA) caught others by surprise. Companies are beginning to realize that these privacy regulations will affect how they do business, but they might not realize more rules are coming as consumer data protection continues to take center stage.
With this evolving landscape in mind, we urge you to take a fresh look at your security and privacy program. To help you understand what’s coming, the following provides a summary of how we got here, what we’re dealing with now and a preview of where we think privacy is headed.
Past privacy regulations
Compared to current standards, previous U.S. privacy regulations were smaller in scope, typically focusing on specific industries and lacking robust enforcement mechanisms. Because of the generally narrow scope and lack of enforcement of these laws, many organizations historically did not see privacy as an urgent concern. For example, the Gramm-Leach-Bliley Act (GLBA) of 1999 was one of the first widespread federal laws to incorporate privacy considerations, but it only focuses on a very limited data set used by financial institutions, such as name, account number and driver’s license.
The health care field was another early adopter of privacy regulations. The Health Insurance Portability and Accountability Act (HIPAA) (1996) and the Health Information Technology for Economic and Clinical Health Act (HITECH) (2009) outlined requirements for protecting the privacy and security of protected health information (PHI) and electronic PHI (ePHI). While the impact of HIPAA/HITECH was far reaching for health care organizations and those that work with those organizations, it covered only PHI/ePHI, not all personal data.
Despite the narrow focus of these laws, they laid the groundwork for privacy frameworks and foreshadowed what was to come.
Today, recent regulations have greatly expanded the scope and impact of previous privacy laws. Compared to the narrow, industry focused privacy regulations of the past, current privacy trends represent a definite shift towards comprehensive privacy protections.
Unlike GLBA and HIPAA/HITECH, GDPR spans across all industries and defines personal data extremely broadly. The law has already been in effect for two years, though it has only been enforceable since May 25, 2018. The fact that GDPR has only recently entered the consciousness of many organizations underscores the low priority companies have placed on privacy to up this point.
Despite being an EU law, GDPR directly affects the way many U.S. organizations do business. GDPR applies to “all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” Instead of a defined set of data elements, GDPR applies to any and all data that could be used, by itself or in combination with other data, to uniquely identify an individual—even if you can’t tell who that individual is. As an extreme example, a recording of someone’s voice constitutes protected personal data, because you can identify individuals by their voices.
Because of the complexity of GDPR, many organizations have not yet grasped the applicability of GDPR to their organization. According to RSM’s Middle Market Business Index Cybersecurity Special Report, only 20 percent of middle market executives believe GDPR is relevant to their business—likely far less than the actual number that is affected by it.1 The scope of GDPR extends far beyond the boundaries of the EU. It is global in reach and affects organizations around the world that might not be aware of its impact.
GDPR is technically in full force, though enforcement has barely started…yet. When penalties start to be levied regularly, organizations may see just how steep these fines can be—up to 4 percent of annual global revenue or €20 million (about $25 million at current exchange rates), whichever is greater. For middle market companies, the impact will be especially tough. For instance, companies with less than €500 million in global revenues will see maximum fines of €20M—regardless of whether their revenue is €50 million or €500 million.
GDPR enforcement actions can be triggered simply by mishandling of consumer requests—no breach is required. According to an SAS Institute survey of 2000 UK and Irish citizens, a quarter have already tried to exercise their rights under GDPR, while half plan to exercise their rights in the coming year.2 Consumers are demonstrating they are very much aware of their rights and ready to exercise them, and organizations with no mechanisms in place to respond to these requests will find themselves scrambling and in danger of finding themselves out of compliance, and losing public trust.
It is also worth noting that privacy scandals and data breaches that concern consumers all around the world could represent not just a lapse in security controls but a violation of privacy laws such as GDPR. It will be interesting to see how GDPR handles current and recent breaches going forward.
As with GDPR, the CCPA represents a big step in the realm of privacy here in the United States. CCPA was signed into law in June 2018, and enacted protections for the personal information of California residents. It mirrors some of the requirements of GDPR and in some instances, such as data subject rights, it expands beyond the subject rights included in GDPR. These extensions mean that companies can be GDPR compliant, but still exhibit exposures under CCPA law. The opposite is also true.
CCPA is fairly ambiguous because the legislation was rushed through in just six days. For example, “personal information” is defined very broadly to include “households” and “devices,” while data breach notification requirements defer to existing California law, which defines “personal information” differently. Because it was rushed through the process, we expect the CCPA to evolve, meaning organizations should be prepared for even more changes in the future. In fact, just recently, there were some amendments to CCPA, including one that postpones enforcement action from January 2020 until potentially July 1, 2020.3
On top of these growing privacy regulations, organizations are experiencing increased pressure from the public about their data handling practices. Consumers are more and more concerned about a number of present-day issues concerning their privacy: data being collected at every turn, constant data breaches, confusing privacy policies, news that social media data was used for political purposes, etc. These incidents bring discussions of privacy into everyday parlance. Average citizens—who generally don’t care about GLBA or HITECH—are pushing for increased accountability from organizations using their data.
The combined forces of expanding regulations and public pressure mean that, heading into the future, privacy will continue to take center stage.
With the plethora of new privacy laws that have come into existence recently, what does that mean for where we are headed?
The future of global privacy regulations
It’s clear that the push for stricter privacy laws is only going to get more intense. In fact, we are already seeing movement on this.
India recently introduced a comprehensive privacy bill that is based on privacy being a fundamental right.4 It emphasizes principles such as obtaining consent, providing for the right to be forgotten and collecting only the minimal data necessary, with potential that the law could apply to any entity (regardless of location) that processes data of Indian citizens. Likewise, Brazil is also moving toward a data protection and privacy law.5
The future of US privacy regulations
In the United States, some Senate Democrats are considering proposing what would be the first expansive federal privacy laws.6 While it may take some time before any of these proposals become law, this does show that privacy is beginning to be a top concern at the federal level. This attention is encouraged by technology companies that are not eager to see a patchwork of state privacy laws develop.
Additionally, other states may soon follow California in enacting their own state privacy laws. States such as Massachusetts7 and Texas8 already have certain privacy protections in place, with Texas’s law regarding PHI broader in scope than HIPAA. It may only be a matter of time until these protections are strengthened and expanded.
Preparing for the future
Organizations have made strides towards security, especially with respect to protecting against unauthorized access to sensitive data and systems. However, since data breaches and data misuse (or at least, use of data that users may not be aware of or consent to) are still prevalent, there is certainly still work to be done. Privacy—which governs how personal data is shared, used and collected to begin with—has largely remained in the background.
Organizations are tasked with managing multiple privacy frameworks and may be unprepared. In fact, RSM’s Middle Market Business Index Cybersecurity Special Report revealed that only 12 percent are “feeling good” about their GDPR/privacy status, 30 percent have done some work but still have a ways to go, and 58 have done very little or do not plan to address GDPR at all.9 According to the report10, 45 percent of executives admit that complying with GDPR requires a major effort by their organization. Since privacy regulations are only going to continue to grow, many organizations will have substantial work to do.
Prioritizing privacy will be a challenge for many organizations. GDPR and the CCPA will have such a major impact on so many organizations because they represent a fundamental shift in the way they view—and thus protect—data. In the United States, data is viewed by most organizations as a company asset, rather than a potential liability (i.e., the more data, the better).
Additionally, data is thought of as being owned by the entity that collects it, not the individual. These new privacy laws make it clear that ownership falls with the individual, not the company. Therefore, entities that use this data have an increased responsibility to protect it—and they will be held accountable. This shift towards privacy could very likely involve a change in the way many organizations operate from a process and technology perspective—and could alter business models
As you face this future of increased privacy requirements, it is easy to get overwhelmed. An external, trusted privacy advisor can help you understand your current state of privacy compliance and to get you ready for what lies ahead. In order to maintain compliance with growing privacy regulations and preserve trust with your customers, it is important to have a robust privacy program and take steps to prepare for a future where privacy is a priority.
1 “RSM Middle Market Business Index Cybersecurity Special Report,” RSM US LLP, accessed Nov. 27, 2018.
2 “SAS Survey: A quarter of UK and Ireland consumers have already exercised GDPR rights,” SAS, accessed Nov. 27, 2018.
3 “SB-1211 California Consumer Privacy Act of 2018,” California Legislative Information, accessed Nov. 27, 2018.
4 “White paper of the committee of experts on a data protection framework for India,” Government of India, accessed? Nov. 27, 2018.
5 “Brazil’s Senate Passes General Data Protection Law,” Hunton Andrews Kuth, accessed Nov. 27, 2018.
6 “Potential Policy Proposals for Regulation of Social Media and Technology Firms,” U.S. Sen. Mark R. Warner, accessed Nov. 27, 2018.
7 “201 CMR 17: Standards for the protection of personal information of residents of the Commonwealth,” Commonwealth of Massachusetts, accessed Nov. 27, 2018.
8 “Learn about your rights to the privacy and security of your health information,” Attorney General of Texas, accessed Nov. 27, 2018.
9 “Why middle market cybercrime is up and how to avoid being a target,” RSM US LLP, accessed Nov. 27, 2018.
10 “RSM Middle Market Business Index Cybersecurity Special Report.”