After one of the most difficult economic years in U.S history, businesses are bracing themselves for what challenges 2021 will bring. With a new administration incoming, and the possibility of a democratic senate, the potential for broad federal data privacy legislation seems almost imminent as the interest of consumer data privacy continues to take a front seat to the commercial exchange of it.
In ZenGRC’s webinar How the U.S. Election Could Alter Privacy Requirements, GRC expert Dr. Maxine Henry walked through California data legislation changes expected to go into effect as soon as next month as well as what November’s election and potential federal data privacy legislation could mean for businesses who buy and sell consumer data.
Preparing your business for amendments to existing legislation or that which is forthcoming can seem arduous. This in mind, Dr. Henry offered 12 steps every business can take to demonstrate compliance with regard to data privacy laws:
- Determine if you are in scope: With regard to existing laws, the first step is to simply identify whether or not they apply to your business. Revenue and the amount of consumer data your business buys and sells play critical roles in determining your eligibility.
- Identify and map your data: Assuming your business does fall within scope, you’ll want to conduct a thorough mapping of what type of data you collect, why you collect it and where it’s kept.
- Identify any exemptions: Certain types of businesses are not required to comply wholly or at all with data privacy legislation. If your business falls within that category, identify and articulate why some or all of your data would not be subject to legislation requirements.
- Manage your vendors and service provider relationships: Create and continually update documentation that lists, explains and justifies all contracts and relationships that have anything to do with the exchange of consumer data — including what type of data is being shared and transmitted, and the nature and purpose of its exchange.
- Manage privacy notifications: Each law requires your participation in displaying specific privacy notifications on digital properties including your website. These notifications change constantly, and it is the responsibility of each business to manually update in compliance with law requirements.
- Data subject access request: Create a process for responding to data subject access requests, should you be subject to an audit. Data privacy acts have clearly articulated time frames under which you will be required to provide your data without error or extension.
- Update policies and procedures: Establish an annual review, audit, update and rollout of your data privacy policies and procedures to ensure your policies and procedures remain in compliance as legislation and requirements evolve.
- Security controls and data protection mechanisms: In the event your business is audited, the first and most critical component you’ll be measured on is the quality of your security controls and data protection mechanisms. It is critical you establish a process to establish and carry out these measures to protect consumer data as much as possible.
- Data breach management: Create, update and implement a documented data breach management plan. This includes building and acting out myriad data breach scenarios at least annually with the proper resources and staff, assuming specific roles and responsibilities in each given scenario.
- Training and awareness: Establish a documented, comprehensive training and awareness program requiring each employee to be certified annually, and be sure this certification is available as evidence in the event of an audit.
- Adopt a GRC system: Simplify and streamline the entire process of managing risk and compliance. Reduce time-consuming manual tasks by leveraging an integrated and automated information security solution.
- Assessments and audit: Periodically conduct internal audits of your existing privacy programs to identify vulnerabilities and opportunities for improvement proactively, prior to an audit or breach.
With the current congress session ending in December, the need to prepare your company for the potential legislative impact on how, where and why you use consumer data has never been more critical. To learn exactly what changes we know are coming, what we can predict and what you need to do to ensure your business is fully prepared, watch Dr. Henry’s webinar How the U.S. Election Could Alter Privacy Requirements in its entirety.