Editor’s note: WRAL TechWire is kicking off a 5-part series on data privacy law to bring some clarity to one of the fastest growing and most complex areas of technology law. Steve Britt, Counsel for Cyber, Data Privacy & Technology (CIPP/E, CIPM), Parker Poe and Sarah Hutchins, Partner for Cyber, Data Privacy & Technology (CIPP/US), Parker Poe
RALEIGH – Updates in data privacy are incredibly fast moving and are a continuing expanding area of law. The business community needs to pay attention to current developments and review current information regarding where these laws came from, where they are going and what companies need to do to prepare for these changes.
To make sure we are all on the same page, let’s start by defining some key terms. First, cybersecurity or data security is about the protection of data and the information systems it lives on from hacking, loss or unauthorized use. Loss of data can come from spear-phishing, ransomware, business email compromise or simply a lost laptop.
Data privacy, on the other hand, is about honoring the privacy rights granted by law to the natural persons whose data a business collects, uses and holds. The distinction between data security and data privacy is captured by the tag line: “You can have data security without data privacy, but you cannot have data privacy without data security.” That is because all data privacy laws require that the data be protected from loss. You can have the most secure operations in the world, and never lose a single record, but still blow data privacy out of the water by not complying with these new laws.
Related coverage: FTC crackdown
Another way to think about this distinction is that data security is primarily a technical set of protections involving network scans, access controls, detection of unpatched software, and installing multi-factor authentication to go along with such non-technical requirements such as regular employee training.
Data privacy requirements vary by jurisdiction but generally consider what specific personal information is collected, why it is collected, who it is shared with and how the user can control how its data is used. And the definition of personal information can vary by jurisdiction too, but is far broader than most realize, usually including device data, location data, browser history, user preferences and purchase history.
Complying with these regimes presents several unique challenges. For example, the business must be able to locate, tag, track, recover and potentially delete individual user records throughout the enterprise. It must establish new business processes to handle data subject rights requests in a timely and nondiscriminatory manner, after first verifying that the requester has the right to make the request.
These laws also require the business to train its employees, update its policies and keep accurate records of all of its data management activities for potential audits and investigations. Failing to comply can lead to large fines, damage to business reputation, injunctions and lawsuits.
Related coverage: New cyber alliance led by IBM, Amazon, JupiterOne
In this series, we will try to demystify data privacy so that management can accurately analyze the risks presented in these laws – both now and in the future – so as to plan reasonable, affordable and achievable solutions.
One further note: It is important not to think too narrowly about data privacy as it does not have a clearly defined swim lane. Companies should not try to navigate through perceived exceptions or gaps in particular statutes at any particular moment in time as this will only delay its larger goals, as the trends on data protection are clear and irreversible.
Data privacy should be seen for what it is – just one element of a sound data management program. This requires a reorientation of the entire business towards data privacy – without any loss of focus on data security.
One should also recognize that the many data issues are expanding and merging. For example, data security requirements are being woven into data breach notification laws, stand-alone biometric laws, artificial intelligence laws and internet of things laws. When regulators investigate a data breach, you can expect them to review data privacy compliance as well.
By starting now, a company can set a deliberate pace towards a comprehensive data management program that will enable it to show a good-faith effort toward compliance in the event that a data breach or other regulatory event occurs along the way. That will be its best defense against this growing array of new legal risks.
About the authors
Steve Britt, CIPP/E, CIPM, is a cyber, data privacy & technology attorney at law firm Parker Poe. He focuses his practice on cybersecurity and data privacy laws and regulations. Britt counsels his clients on the full range of data protection laws. He may be reached at firstname.lastname@example.org.
Sarah Hutchins, CIPP/US, is a cyber, data privacy & technology attorney at law firm Parker Poe. She helps clients navigate business litigation, government investigations, and data privacy and cybersecurity. Hutchins may be reached at email@example.com.