Data Privacy Regulation blankwordblankword

Organizations take on sensitive data discovery and protection because sometimes it is required by law. In the European Union and a growing number of states in the US, consumer data privacy laws are on the books and governing certain businesses. 

For US companies who don’t do business in those states, complying with the standards of regulation can bring its own benefits. The cost of cybercrime is expected to rise 15% year over year until 2025, in part because of lacking internal data privacy practices at many companies. According to TechBeacon, 44% of business cloud user security privileges are misconfigured, including shadow administrators who have unauthorized and privileged access to sensitive data.

It’s important to remember this data doesn’t just live in forms and databases, but in emails, chat logs, audio recordings, notes–the list goes on. Unstructured data sources like these are equally governed by many of the laws and regulations currently in place, but these unstructured data sources are much harder to track and secure. We’re breaking down the current state of data privacy regulation. This will help you understand how to comply, or improve your practices to get ahead of the curve before the law changes in your area. 

Data privacy regulations are laws passed by governments to protect the personal data collected from residents of their jurisdiction. Most nations around the world have a data privacy law of some type in place. We’ll summarize a few main examples at different levels of government. 

• All 30 countries of the European Union and European Economic Area follow one data privacy regulation, the General Data Protection Regulation (GDPR). Europe’s data protection standards are the most comprehensive, and we’ll get more into what they entail later. 
• The Francophone Association of Protection Authorities of the Personal Data (AFAPDP) was founded in 2007 in Montreal as a data privacy coalition for 23 governments and states that are home to the  French-speaking peoples of the world. This includes not only Canada, but many African nations and some European ones. Outside this commitment to shared values and standards with fellow French-speaking nations, Canada’s data protection laws are a mix of federal and provincial government statutes.
• In Mexico, data privacy is governed at the federal level and regulations are enforced by the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI). This entity not only protects the personal data of citizens but also their right to access public information. 
• In the United States, there is no comprehensive federal law protecting personal data in the US. Instead, a mix of federal and state laws protect data differently in certain areas and industries. The American Data Privacy and Protection Act was  introduced by Congress in 2022.  Should this act pass into law, the US will have federal personal data protection regulation to follow. According to the National Conference of State Legislatures, 38 states are also somewhere in the process of introducing, enacting, planning, or researching privacy legislation. Three states already have laws on the books, which we will get to later.

These are just some examples of how different countries and groups of countries regulate data privacy. Overall, 137 out of 194 countries have some form of data privacy regulation. You can even view a map of data privacy laws by country through the French Commission Nationale Informatique & Libertés (CNIL).

Across borders, there are five widely-accepted requirements of any privacy and data protection effort: awareness, consent, access, integrity, and enforcement. Let’s briefly explore each one:

• Awareness: Users must be made aware of how their data will be used before they provide their data. They must also be informed if sharing their data is optional or required and how their data will be secured and stored. 
• Consent: Users should be able to consent to how their data will be used, including providing the minimum data for a transaction or process without having to agree to secondary uses like marketing. This includes consent to share with third parties beyond what is needed for the user’s purposes. 
• Access: Access means the user’s right to see what data is held about them and correct any errors. This also includes access to the consent terms and a ready way to contact the entity or individual who has their data. 
• Security: Data must not only be accurate, it must also be secured and protected. The infrastructure and systems used to store sensitive data must be deliberately structured and maintained to keep user data safe. 
• Enforcement: There must be consequences for entities which fail in their duties to protect customer data, or who use data in ways they did not get permission for. These can be in the form of fines, operational penalties, or other sentences depending on the severity of the lapse. 

These five key requirements of data privacy and protection have been part of the conversation since the late 1990’s, according to Computerworld. Many of the data privacy regulations around the world apply to one or more of these pillars. 

Every nation has its own laws to protect consumer data. The most robust laws in the world are the General Data Protection Regulation (GDPR) which are the laws in the European Economic Area, which is the EU and the three countries of Iceland, Liechtenstein, and Norway.

1. Lawfulness, Fairness, and Transparency: This boils down to remaining transparent with users about why you are collecting their data and how it will be used. 
2. Purpose Limitation: Data should only be collected for a specific purpose, and for as long as necessary to achieve that purpose. There is still room under GDPR for things like freedom of interest, historical research, or data collection in the public interest.
3. Data Minimization: Entities must process and retain the absolute bare minimum of data needed for their purpose such as facilitating a purchase or sharing information. 
4. Accuracy: Organizations must take every reasonable step to delete data that is inaccurate or outdated, and one of users’ GDPR rights is to request their data be deleted within 30 days. 
5. Storage Limitation: The organization must limit how long it retains a user’s personal data after it is no longer relevant for them to have. The length of time and what qualifies as “relevant” under principle 5 of GDPR varies greatly by industry. Questions about this are generally best asked of an authority in GDPR compliance like DryvIQ. 
6. Integrity and Confidentiality: GDPR states that data must be protected from unlawful or unauthorized processing as well as accidental loss, destruction, or damage. 
7. Accountability: The last of the GDPR principles describes the duties of parties involved in data collection and management, as well as documentation requirements to demonstrate compliance.

Learn more about GDPR and compliance requirements on their website.

The United States does not have a data protection act—at least not one that provides overarching guidance to every organization. Instead, some industries are subject to unique data privacy regulations. Here are a few examples:

• • Health Insurance Portability and Accountability Act (HIPAA): This law specifically protects healthcare data and governs the disclosure of that data. 
  • Fair Credit Reporting Act: This law governs how the information in someone’s credit history can be accessed, used, reported, and disposed of. 
  • Family Educational Rights and Privacy Act (FERPA): This law protects student education records and protects a parent or guardian’s right to access those records. 

The Federal Trade Commission is the main authority that oversees compliance with these and other laws.  There are also an increasing number of data privacy laws by state. 

• California’s Consumer Privacy Act (CCPA) passed in 2018. This law gives California consumers the right to opt-out of the sale of their personal information, delete their data, and other protections. It also gives California consumers the right to demand to see all the data a company has about them, edit it, and require it be deleted. This includes not just the information about them in databases, but within unstructured data as well. All companies with at least $25 million in revenue that serve customers in California must comply with this law. As a result, residents of many other states benefit from some of the securities it creates, even when they don’t live in California. 
• Virginia’s Consumer Data Protection Act passed in 2021. This law is different from CCPA in that it does not include an income threshold. Instead, businesses who serve Virginia consumers must comply based on the amount of data they handle each year.  So large businesses are exempted as long as they do not handle large amounts of data. Any organization that conducts business in Virginia and handles the personal data of at least 100,000 consumers in a year is required to comply with these regulations. 
• Colorado’s Consumer Protection Act passed in 2021. This  law is intended to deter any businesses that trade unfairly or deceptively with the public. This would include companies who mismanage data or make income from selling data without disclosing that to users.

The data privacy regulations in the US are continuing to evolve. But as organizations operate without guidance, the risks and harms of a lack of privacy and good governance can do damage to brands and consumers.

Businesses and other organizations often think data privacy just extends to what is filled out in a form or kept in a record about a person. But privacy goes beyond personal information like an address and financials. It also extends to unstructured data like emails, documents, mobile data, web server logs, and more. This data must also be analyzed, documented, and governed. Across a global organization with multiple locations, we know that level of sophistication is no small feat. That’s why DryvIQ has developed our specializations in:

• Helping organizations identify their sensitive data.
• Deploying a strategy to organize and secure all sensitive data, even unstructured data. 
• Automating future processes to keep tomorrow’s data compliant as it comes in. 

Let DryvIQ help ensure your unstructured data governance policies align with industry standards and today’s best practices. Learn more about how we engage with your data to automate policy enforcement.