There was time, not long ago, when we described our society as post-privacy. People across all generations (not just the Millennials), used social media to share all sorts of personal information, without regard to privacy. While many of us still do, times are changing.
Even before the recent data sharing scandals involving Facebook and Cambridge Analytica, attitudes about data privacy were changing. This is evident in the recently passed the California Consumer Privacy Act (CCPA) and the previously enacted General Data Protection Regulation (GDPR) in the European Union.
The New Privacy Regulations
The purpose of the California law is to protect on-line privacy and personally identifiable information (PII). Once implemented, California citizens will have the right to ask a company to share records collected about them. They will then be able to have those records deleted. It also gives them significant opt-out rights, limiting data sharing with third parties.
GDPR goes even further. It applies to all companies processing personal data of EU citizens, regardless of the company’s location. Further, the regulations afford EU citizens the “right to be forgotten.” Essentially, any organization that possesses the data of an EU citizen must be able to immediately delete that data when it’s no longer needed for its original purpose, or if the citizen asks for the data to be erased and there are no legitimate grounds for retaining it. These companies must also notify customers of data breaches within 72 hours.
Most significantly, GDPR comes with big fines for businesses that fail to comply with these regulations. Violators can be fined up to 4% of annual revenue or €20 million (whichever is greater) for the worst offenses.
Lessons Learned in the EU
GDPR took effect on May 25, 2018. For most organizations, the biggest challenge with compliance was that they did not know what data they had or where it was stored.
This is not surprising. Today’s hybrid, multi-cloud world, exacerbates the challenge of data visibility. Various studies prior to GDPR implementation showed that most organizations lacked the proper technology to address these new requirements. Many reported that they didn’t posses tools to manage data effectively, impacting their ability to search, discover and review data. This is a critical failing because businesses must be able to locate PII within a very short time to be compliant.
Another finding was that many organizations do not understand their data and therefore, can’t determine if it should be saved. Steep fines result from failing to delete data that’s no longer needed for its original purpose. This worries many in the EU, especially when it comes to maintaining their brand and customer base. As a result, the average spending by organizations to achieve GDPR compliance was almost €1.3 million (~$1.5 million).
Why This Matters to You
Although GDPR doesn’t apply directly to US government organizations, we should all pay attention to these changes. First, the likelihood of a GDPR-like law in the United States is not far fetched. Earlier this year, new privacy provisions were reported to be floating around the Senate. While limited today, the CA privacy law is a template for future legislation for all US citizens, including customers of government agencies.
Even without new regulations, we still have the Privacy Act of 1974 in the United States, which requires a variety of data protections. In 2016, President Obama recognized the need for better Privacy Act enforcement across the government and established a Federal Privacy Council. The initial focus was on helping agencies understand their level of compliance with current privacy requirements. I had a chance to work on this issue with my agency. Simply understanding our current state was much harder than anticipated.
The subsequent steps to bring systems and data stewardship practices into compliance with the Privacy Act is even harder. These efforts are still ongoing across government.
Don’t Delay, Start Today
The eventual introduction of GDPR-like privacy requirements in the United States will be a monumental task across government and industry.
Begin preparing now by developing an enterprise data strategy for your organization. This is an important first step that will help you get a handle on your data governance requirements. It also leads to the ability to search, discover, and review your data. These are not only essential capabilities for compliance with emerging privacy laws, but table stakes for current IT modernization and digital transformation initiatives.
You may also be interested in IT Security Subcategory: Helping Agencies Protect Privacy and Health Data and What Gov Experts are Saying About FedRAMP, Privacy and Cyber.
Jonathan Alboum is part of the GovLoop Featured Contributor program, where we feature articles by government voices from all across the country (and world!). To see more Featured Contributor posts, click here.