The General Data Protection Regulation (GDPR) became effective May 25, 2018 and requires businesses to comply with certain requirements when protecting and storing personal information of European Union residents or citizens. As the first and most comprehensive law of its kind, GDPR signalled an enormous shift that has resulted in a global wave of data protection regulations.
The first US regulation of this kind, the California Consumer Privacy Act (CCPA), introduced substantial amendments to consumer privacy and data protection law in California and became fully enforceable on July 1, 2020.
More recently, the New York State legislature kicked off 2021 with announcing plans for a comprehensive data privacy law (NYDATA) that will echo many of the provisions of the CCPA. If passed, NYDATA could be finalised as early as April 2021. Many people who previously believed data privacy laws would not take hold across the United States are starting to shift their beliefs.
The Risks of Non-Compliance
While GDPR regulations have been around and enforceable for a few years, companies that do not do business in Europe or with European citizens have not had to worry about their data privacy regulations. Now that the CCPA is fully enforceable, any company doing business in or with a resident or household of California must comply with the new regulations.
Even companies that are GDPR compliant will need to review their policies and procedures to ensure that they are also fully compliant with the CCPA because, while similar, the CCPA is not a carbon copy of the GDPR. With CCPA and the news of NYDATA, companies are realising that it will be increasingly difficult to do business in the US and ignore data privacy and protection laws; they must act now if they want to be in compliance with these laws.
An important aspect of these regulations is providing individuals (data subjects) various rights to their personal information that is collected by companies. These include access and portability rights, deletion rights, and the right to object or opt out to name a few. Failure to comply with both of these regulations can be costly. The GDPR caps fines at €20 million or 4% of worldwide turnover, whichever is larger. Meanwhile, the CCPA has fines of up to $2,500 per violation ($7,500 per intentional violation) but does not have a cap on the total amount of fines that can be assessed. With the cost of non-compliance so high it would not only be unwise to ignore these regulations, but it would be harmful to your business.
Addressing the Challenges Ahead
On top of all of the rights given to data subjects, companies must determine if they qualify as a processor or controller of personal data, as that classification changes the steps that must be taken to comply with these regulations.
In order to comply, companies need to pay particular attention to three areas: security controls, data management and automation.
- For security, companies must implement IT controls in line with best practices in areas such as encryption and access management.
- For data management, companies need to ensure that they maintain the transparency requirements of the various data privacy regulations.
- Automation focuses on streamlining organizational processes to better enable the rights of data subjects, handle breaches, and manage audit processes (both internal and external).
Automation can be a particular challenge and some experts warn that a shortage of talent will create a surge in demand for privacy law training and certification. Getting ahead of new legislation by finding the right tools and talent beforehand is important to reduce the risk of non-compliance once new laws become enforceable.
With an increased focus on data privacy, eBrevia responded by releasing new data privacy fields to automatically extract relevant data points from documents such as: Personal Data, Data Subject Rights, Data Retention, Data Breach, and Transfer of Personal Data. Using an AI tool to quickly identify these items helps narrow the gap between a company’s data privacy capabilities and its ability to adhere to data privacy laws and regulations.
Quickly analyzing data privacy provisions across large volumes of contracts provides fast, actionable insights that reduces the risk of non-compliance with GDPR, CCPA, and any future data privacy laws and regulations.
In light of additional regulations on the horizon, and a shortage of privacy specialists, achieving greater efficiency and accuracy with an AI tool is not only timely, but necessary to make sure that you do not run afoul of these regulations and risk getting fined. Given everything that has happened this past year, the last thing you want to deal with is having a violation lead to fines, especially when it can be an easy fix to review all your contracts quickly and determine if you are in compliance.
For more information about eBrevia, visit us at: www.ebrevia.com
[ Artificial Lawyer is proud to bring you this sponsored thought leadership article by eBrevia. ]
Companies need to be proactive when addressing personal data protection as the number of data breaches and data leakage events are on the rise. Being able to use tools like eBrevia to automatically review data privacy provisions is indeed valuable. But, it’s also important to continuously crawl all data repositories to identify personal data across an organization’s diverse IT systems. Ayfie has over 190 pre-built PII extractors and we immediately identify & report on the amount, type and location of personal data. If a system is breached, you’d be able to respond in minutes… well before the 72 hour reporting requirement.