Data Protection Acts And Lack Of Compliance
Although over 120 countries worldwide have passed data protection acts, many companies are still on the wrong side of the law. According to reports, one-third of the companies are still not compliant with the General Data Protection Regulation (GDPR), the EU's most comprehensive data protection act. Also, only one-third of the companies were compliant with the CCPA, the California privacy law, back in January 2020 when its enforcement began.
Authorities have started enforcing the laws and imposing hefty fines for non-compliant companies. While it is fair to say that many of these companies have reached some level of regulatory compliance with regards to data protection acts, they do not meet all the requirements. But why is that?
Compliance is not a matter of degree; it means that your company meets every single requirement prescribed by the applicable law. If you meet all the requirements, you are compliant. If you fail to meet at least one of them, you are in breach of the law.
Data Governance is definitely a part of the solution, but first, let's try to understand where organizations may have blind spots. In this blog post, we will examine why organizations are non-compliant and, of course, still exposed to risks and penalties despite their best efforts.
Reason 1: They Don't Know Which Laws Apply To Them
This reason is more common than people think. Some companies don't know which data protection acts or laws apply to their businesses. It doesn't necessarily mean they are careless, just that they are missing critical information required so they can act appropriately.
For example, a company from California may be aware that it has to comply with the California privacy law. But, as soon as Canada's first visitor lands on their website and they collect their personal information, they also must comply with the Canadian PIPEDA data protection act. And there it is; they may not know that Canada also has its data privacy law or even less, its requirements.
Remember, laws protect the people who interact with you.
Typically, particular data privacy law's applicability depends on two conditions: where your business is based and where your customers, clients, prospects or citizens are from. You must comply with all the laws applicable to both your organization and your users. Remember, laws protect the people who interact with you.
A thorough analysis of data stored about anyone interacting with your organization will reveal where people are coming from, which will give you an excellent start to understand which laws may apply to you.
Reason 2: They Don't Know What Data They Collect
Say that you have a website form collecting only the email address and first name of a visitor, and you were under the impression that all you collected was the email address and first name? Not so fast. You may be collecting other personal information of visitors unknowingly.
Many organizations are not aware that they collect users' data such as IP address if they use Google Analytics, for example. Unless you set it up correctly, this popular and free tool collects more data than you may have thought, which may easily make you breach the laws.
Also, installing social media plugins on the website is not as innocent as it might seem. These plugins collect plenty of personal information, including sensitive data that users share with social networks. This could make you a data controller of sensitive personal data, and if you don't put adequate data safeguards in place, you may be exposed to serious legal disputes.
Various technologies and affiliates may also collect information, and because they are integrated into your digital property, you are responsible in the eyes of the law.
Reason 3: They Don't Categorize Collected Data
Without proper categorization of collected data, compliance is almost impossible. You need to know the categories of data you collect for several reasons, such as whether you need consent, providing notification on collected data, providing data subjects with the right to know and access data, etc.
Without categorizing data, you cannot provide users with compliant notification on collection or privacy policy. Laws such as the CCPA, GDPR, PIPEDA, LGPD, and others require businesses to include the categories of personal information collected in privacy policies or collection notices.
Collecting and storing data you don't need has now become a real liability and brings only risks to your organization.
Also, companies keep getting regular data subject requests from users. When you get a request to know, you must provide the user with information on all the data categories you collect. Someone may submit a request for the erasure of a particular category of data you have about them. To fulfil such a request, you have to have your data categorized.
Reason 4: They Don't Know Why They Collect or Process Data
It is good practice to collect and process only the data you need to conduct your business and refrain from collecting data just because you may use it someday. Collecting and storing data you don't need has now become a real liability and brings only risks to your company.
Also, you have to inform your users why you collect their data. Failing to inform them makes you non-compliant with most of the data privacy laws in the world.
If an organization doesn't know why it collects a particular data element, it may be safer to stop collecting it or find out whether it still fulfills any requirement.
Reason 5: They Don't Know Where the Collected Data is Stored or Processed
You may be using third-party services for your online business operations, such as website plugins, email providers, database storage services, etc. In the process of using these services, you may unknowingly transfer users' data to other countries. In some cases, such transfer may mean a breach of data privacy laws.
Do you know where you store and process the data you collect? Do you know where your data processors and subprocessors process the data? If using the services of third-party tools involves the transfer of data to another country, and you don't know which one, you are under severe risk of getting fined.
Understanding this is particularly important if you collect and process data of EU residents because the GDPR requires you to transfer their data only to countries with an adequate protection level. It means that if a non-EU government does not provide the same level of data protection as the EU, and the EU has the world's highest standards, you must not transfer that data in these countries.
You can transfer the data only to countries on the EC list of countries deemed safe. Suppose you need to transfer the data to a third country. In that case, you must handle the exception specifically with Standard Contract Clauses, Binding Corporate Rules, the user's consent, or on another legally acceptable basis.
Reason 6: They Don't Track How Users' Data is Shared or Sold
You share users' data when you use third-party tools for processing it. To get any insights from Google Analytics, send emails via ConvertKit, or show ads on Instagram, you have to share your users' data with them. You sell users' data if you provide the data to someone else for financial compensation. For example, you may sell your email list to another company. That is a sale of personal information.
Most data protection acts require that you track with whom you share data and to whom you sell data. As mentioned before, you cannot just use any third-party tools casually. If you don't notify users of these tools or if any of them modifies the personal data you have shared with them, you will be liable to your users. Aside from the penalties, you may face them in a civil court and pay torts for the breach's consequences.
The same applies to the sale of personal information. In the United States, it is generally permitted to sell users' personal information to third parties. Still, the Nevada and California privacy laws oblige you to notify users on that and let them opt-out from their data getting sold. Failing to provide such notification means a violation of laws.
Reason 7: They Don't Know For How Long They Keep Or Should Keep The Data
Keeping data for extended periods may present data protection and business risk. You should keep the collected data only for the minimum amount of time necessary for two reasons: first, for the legal requirements and two, the risks associated with storing information you don't need.
The most recent data privacy regulations, such as the CCPA, GDPR, LGPD, and others, require businesses to delete data as soon as they don't need it anymore.
Moreover, keeping data you don't need has no benefits and exposes your organization to risks. You'll get nothing out of it, yet it may fall prey to cyber attackers! By systematically deleting the data you don't need, you'll save yourself many headaches while not losing any benefits.
Reason 8: They Don't Provide Sufficient Notifications to Users
The California privacy law requires you to provide users with a notice on the collection, a notice on sales of personal information, and a notice on their data's financial benefits. The GDPR and PIPEDA require presenting users with an up-to-date privacy policy.
Having a link to your privacy policy or a "Do Not Sell My Info" button is not enough. If you don't show the right notifications at the right time, you may be violating the law.
Takeaways
These are the most common mistakes. An assessment of your compliance status to data protection general regulations is a great start. The best time to do that was a few years ago, and unless you know you are in control, the second-best time is right now. Information governance plays an important role as well.
To improve, ensure to assign experts to do the job. They will help you identify which laws you are subject to, map out your privacy practices, prepare a data inventory for your business and take you on the road to compliance from there.
Remember that whatever data protection act applies to your company, you always need to:
Know what data you collect and process
Categorize the collected data
Know the purpose of collection and processing
Know where the information is stored or transferred
Know with whom it is shared or to whom it is being sold
Know for how long and why you retain data, and
Inform users about your privacy practices.