Data privacy legislation tightens across the globe

With GDPR enforcement underway, eyes across the world turn to developments in data privacy legislation in the U.S. and India.

Since enforcement of the European Union’s (EU) General Data Protection Regulation (GDPR) began on May 25, 2018, a flurry of activity in the data privacy realm has rippled across the globe. As the new gold standard in data privacy, the GDPR is not only the most stringent data privacy policy to date, it imposes the heaviest penalties for non-compliance. In the U.S. and in other countries, governments are borrowing concepts of the GDPR as they strive to protect their citizens and empower them to have better control of their personal data.

What this means for organizations

Organizations should take steps now to ensure they have proper access to privacy expertise in order to better understand how these developing regulations will affect their decisions, operations, processes/policies and compliance efforts.

California Data Protection Act

In June, the California state legislature signed the California Consumer Privacy Act of 2018, effective in 2020. The bill passed unanimously, reflecting widespread concern over data privacy. Like the GDPR, the California bill is a landmark policy in the data protection field, and while it may not be as comprehensive as the GDPR, it shares many similarities. Included policies in the California act enable consumers (referred to as data subjects) as follows:

  1. the right to know what private information is collected
  2. the right to tell companies to delete their personal data
  3. the right to tell companies to neither sell nor share it

As with other new data laws, breaches will incur serious fines with the potential to cost organizations millions.

U.S. data privacy policies on the horizon

A document by Senator Mark Warner, also recently in the news, provides options for Congress to meet U.S. data privacy objectives. Suggestions include many GDPR-like requirements, such as a 72-hour breach notification window and increased data subject rights. It also includes recommendations, such as:

  • Increasing military action to combat cyberattacks
  • Launching public education campaigns to increase media literacy and internet safety awareness
  • Requiring companies to be more transparent about the use of bots and other artificial intelligence to collect information
  • Requiring media companies to help combat disinformation dissemination by identifying the origin of posts
  • Labeling major search engines, social networks and internet service providers as “information fiduciaries” requiring companies to protect consumer data

By engaging data privacy experts now, organizations can be prepared when new policies are implemented. 

Data privacy discussions underway in India

The Parliament of India is getting closer to enacting its own data protection law. In July, the Ministry of Electronics and Information Technology accepted two new documents from the Srikrisha Committee: an initial data privacy assessment and recommendations, and a draft of the Personal Data Protection Bill. The Personal Data Protection Bill borrows heavily from the GDPR, including heavy fines   for non-compliance. Most notably, under the Personal Data Protection Bill, fines could add up daily until corrections are made. Another unique requirement of this bill is making waves in the data privacy industry: a stipulation that a copy of personal data must reside in India.

With a population of over one billion, India has not only one of the largest internet user bases in the world, but also one of the fastest growing digital economies. For years, IT industry leaders in India have been concerned about data privacy practices that are frequently overlooked, given the rapid pace of development. There are many benefits to global organizations if this data privacy law goes into effect.  Companies that conduct business in India should take steps now to safeguard personal information. 

How to prepare

As awareness of digital privacy around the globe increases, organizations and citizens alike are making more privacy-minded decisions. Now is the best time to start preparing your organization for international data privacy legislation changes with the following steps:

  1. Be transparent. Disclose personal information you collect, process, or store and explain how it is used, and with whom it is shared.
  2. Evaluate current systems. Conduct a privacy assessment to better understand what personal data your organization possesses and if it is secure.
  3. Apply best practices. After conducting privacy assessments, update data protection controls and processes to secure personal data in a manner that is consistent with the potential negative impact that could result from its exposure.

Data protection policies are rapidly changing and developing worldwide. Taking proactive steps will help your organization develop a sustainable data privacy program that is ready to adapt to evolving global regulations.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.