When it comes to managing cybersecurity risk, approximately 35 percent of organizations say they only take an active interest if something bad happens. But in order for businesses to maintain compliance with major privacy laws, they have to have security measures in place before an attack. The regulations from GDPR, PIPL, and CCPA are especially prevalent to MSPs and software vendors because they get access to data from so many organizations, but all businesses need to comply with them.
- PIPL Compliance
- CCPA Compliance
- GDPR Compliance
- How to Stay Up to Date with Changing Compliance Regulations
China’s new data privacy law just went into effect in November 2021. Here’s what you need to know.
What is PIPL?
China’s Personal Information Protection Law (PIPL) is legislation that aims to outline and protect appropriate uses of personal data. PIPL provides a protection framework for the data of Chinese citizens. It defines sensitive personal information as “personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14” (Article 28).
Who Does PIPL Affect?
PIPL affects businesses located in China, that do business in China, or store the personally identifiable information (PII) of Chinese citizens. If the organization is planning to transfer data across borders, it must let the affected individual know, ensure that the receiving entity can provide the required privacy protection, and perform an impact assessment on possible consequences of the transfer.
Also Read: Top 9 Data Loss Prevention (DLP) Solutions
PIPL Compliance Checklist
If your business is affected by China’s PIPL, here is what you need to stay compliant:
- A dedicated representative in China. If your organization isn’t located in China but holds data on Chinese citizens, you must establish either an office or designated representative in China and register that information with the appropriate government officials.
- A lawful basis for the information you gather and use. PIPL includes several lawful reasons—necessary for a contract, legally necessary, related to an emergency, related to public interest, or previously disclosed data—that businesses can gather and use data without the consent of the individual. If none of those are applicable to you, then you need to get consent from each person you’re keeping data on.
- An incident response plan. Data breaches are an unfortunate reality of doing business in today’s technology-based world. You need to have an incident response plan in place to quickly identify and resolve the breach and then notify the affected parties.
- Detailed privacy notices. Before storing or processing PII, you must offer individuals detailed privacy disclosures that explain why you need the data and what you will use it for. It should also include how you plan to process the data and the contact information for the data controller in case the individual has questions or concerns.
- The chance for each individual to remove their consent. If you’re currently storing data on individuals that haven’t given their consent and it doesn’t fall into one of the appropriate use categories, you need to give those people the option of withdrawing their consent. Additionally, individuals who have given their consent should be able to reverse that decision at any time.
Also Read: Top GRC Tools & Software for 2022
California’s data privacy act has been in effect since the start of 2020.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a law that offers individuals more control over their PII and how businesses can use it. It gives consumers the right to know what information businesses are storing on them and how those businesses are using and sharing the data, to delete their PII from a company’s database, and to bar a business from selling their personal data. CCPA defines personal information similarly to PIPL and includes name, social security number, biometric information, and internet browsing history.
Who Does CCPA Affect?
CCPA affects any for-profit organization that conducts business or serves consumers in California and meets one or more of the following criteria:
- Has a gross annual revenue of more than $25 million
- Handle at least 50,000 records of California residents, households, or devices
- Receives 50 percent or more of their annual revenue from selling the personal information of California residents.
However, the rights outlined in the CCPA only apply to residents of California, even if they’re not in California at the time of the request. Nick Halsey, CEO of Okera, explains, “This combination of various state-based regulations and variables can imply a more refined data access policy, placing a new layer of requirements on governance systems. The policy, no longer static, must react to certain variables in real-time. In 2022, we will see increasing pressure on enterprises and vendors to put the tools in place that enable real-time, state-based policy enforcement.”
Also Read: CCPA Compliance Checklist & Requirements
CCPA Compliance Checklist
If your business meets any of the above criteria, these are the things you need to remain compliant:
- Full visibility into the data your organization has and collects: Businesses collect a ton of data in both structured and unstructured formats, and while they can easily search their structured data to find out what they have, unstructured data isn’t that easy to parse. Organizations need to understand all of the data they store and collect as well as where they’re storing it.
- Categories for all of your organization’s data: Not every piece of information will be relevant to CCPA and require the same level of security. Categorizing your data ensures that you’re keeping necessary information for the appropriate length of time and providing the required security.
- Remediation plans for different scenarios: Obviously, you don’t need to launch a full incident response if someone asks you to delete their data, but you do need to have a standardized remediation plan in place. You’ll need to create plans for each of your data categories to abide by relevant compliance requirements.
- Clear policies on data governance: Tell your consumers why you need their sensitive information, what you plan to do with it, and how you’ll store it. You also need to train your employees extensively on these policies, so they know what they can and can’t do with the data you collect.
- Easily accessible Subject Rights Requests: The CCPA allows California residents to request information about how their data is being used, and your company has to make these requests simple for consumers. The law also dictates that organizations have to acknowledge each request within 10 days of receipt and fulfill it within 45 days, so you need an efficient system in place to receive and act on these forms.
Europe’s privacy protection law went into effect in 2018.
What is GDPR?
The General Data Protection Regulation (GDPR) is legislation that protects the data of citizens in the European Union (EU). It’s likely the strictest data privacy law in effect today, and, for the most part, if you’re compliant with GDPR, you’re likely compliant with other data protection acts. The GDPR website defines personal information as “any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.”
Who Does GDPR Affect?
GDPR affects all organizations that conduct business in the EU, serve citizens of the EU, or track and record data of people in the EU. However, organizations with fewer than 250 employees are exempt from some of the rules of GDPR. The documentation states that the data protections outlined in the first two paragraphs, “shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10” (Article 30.5).
GDPR Compliance Checklist
Here’s what you need to comply with GDPR if you have more than 250 employees or meet the criteria listed above:
- Clear categories for the data you store: You need to separate the data you collect into categories and outline specific reasons for collecting each type. The records of these categories should include the name and contact details of each processor and data controller and information on and data transfers.
- A detailed list of what you use data for: This list should include records like the name and contact details of the data controller and data protection officer, the reason for processing the data, a description of how you categorize your data, who has access to the data both internally and externally, and a description of the security measures you have in place to protect the data. This list should be in writing (or electronic form) and available if requested by a compliance officer.
- A legal justification for processing the data: Article 6 of GDPR outlines the lawful justifications for processing data, including but not limited to consent from the individual the data belongs to, processing due to a contractual basis, and for matters of public interest. If consent is your justification, you’ll need to make it easy for your data subjects to revoke their consent at any time.
- Internal security policies and remediation plans: Under GDPR, you must be cognizant of data security any time you handle someone else’s data. PII should be encrypted or anonymized whenever possible, and you need to train your employees extensively on data security, especially if they have access to personal data. Perform impact assessments when making changes that affect your data, and have a plan in place for notifying relevant authorities or individuals when you have a breach.
- A designated GDPR compliance officer: This should be an internal employee well-versed in the requirements of GDPR, and they should be encouraged and able to evaluate data processing policies and make changes where necessary. Depending on your business category, you may also need a data protection officer. And if your business is located outside of the EU, you will also need to appoint a representative located in the EU.
- Signed data processing agreements with third parties: If you work with other organizations that are going to get access to your stored personal data, you’ll need to sign an agreement that outlines each party’s responsibilities regarding GDPR compliance.
- Easy access for your customers to their data: If you’re collecting personal information, you must make it easy for consumers to find out what information you’re storing on them, update inaccurate or outdated information, request that their PII be deleted, request that you stop processing their data, request a copy of their personal data, or object to you processing their data. Also, if you use automated processes to make decisions about people, your customers should be able to request human oversight or challenge the decision.
How to Stay Up to Date with Changing Compliance Regulations
New data privacy compliance regulations come out from time to time, especially as the way companies process data changes, so compliance can be difficult for many organizations. However, because GDPR is so strict, most companies can get away with following those procedures and be covered under many other regulations, including CCPA and PIPL. It’s important to have a compliance officer within your organization that can help you stay up to date with changing regulations and adjust policies as needed.