Business Technology, for the Win - Data Privacy

As a CIO, one of your primary responsibilities is the management of information. You are entrusted with acquiring, disseminating, enhancing, storing, and protecting information. All of these facets of the position are challenging in different ways.

The protection of information is a particularly challenging area of your job because not all information is equivalent and not all information requires the same level of protection. Along with your team, you are responsible for understanding what information is important, what needs protection, and ultimately what that protection looks like.

When it comes to personally identifiable information (PII) or consumer data, you have another challenge - regulation. These laws set standards for is required for the protection of the data with stiff penalties for non-compliance.

As a global CIO, this is even more challenging because you are navigating regulations across multiple jurisdictions. Crossing country or state borders changes the nature of the expectations of how you have to care for and manage consumer data. Frequently, you are held responsible for the data of consumers where they live and not only where you have places of business.

Your first step is to understand what these regulations are in the countries where you have consumers and how those regulations impact the information that you are tasked with stewarding.

Europe

One of the first regions to establish a standard for consumer data privacy was the European Union. They published the General Data Protection Regulation (GDPR) in 2016 and started to enforce it two years later in May 2018.

Key points about GDPR include:

• GDPR defines personal data as that which involved identified and identifiable natural persons.
• GDPR has a specific data breach notification requirement with a 72-hour deadline.
• GDPR requires workforce training.
• GDPR requires a Data Protection Officer (DPO). This role ensures that the organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.
• GDPR requires data protection impact assessments (DPIAs) in certain situations.
• GDPR uses the terminology data subjects, data controllers, and data processors to describe the parties involved in data management.
• The GDPR has fines of 2% and 4% of annual worldwide annual revenue. If you are a global company, they will establish a fine based on all of your global revenue and not just the European portion of that revenue.

North America

In North America, regulation is not as consistent or unified. Neither the U.S. nor Canadian legislatures?have?pushed through modern countrywide mandates. In both countries, the regulatory landscape is fragmented across states and provinces, with some areas more advanced than others.

Some states have passed specific regulations to ensure consumer data privacy. These include California (CCPA), Nevada (Nevada Privacy Law), Colorado (CPA), and Virginia (CDPA).

Alaska, Hawaii, Utah, Arizona, New Mexico, Texas, North Dakota, Nebraska, Minnesota, Wisconsin, Illinois, Indiana, Kentucky, Tennessee, Mississippi, Alabama, North Carolina, West Virginia, Maryland, Delaware, New Jersey, Connecticut, Rhode Island, Vermont, New Hampshire, and Maine each have proposed regulation that is under consideration and is likely to pass after undergoing review and revision.

In many of the remaining states, they are starting to have conversations about proposed regulations and are monitoring the European Union's GDPR and the states who have enacted legislation as a pattern for their plans going forward.

In Canada, there is the Personal Information Protection and Electronic Documents Act (PIPEDA). The PIPEDA went into effect on April 13, 2000, and has broad applicability. It “applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.”

While PIPEDA shares some common points with GDPR, the two laws don't have the same strength or impact on business. They particularly differ in their consent requirements and penalties for non-compliance. Organizations covered by PIPEDA must generally obtain an individual's consent when they collect, use or disclose that individual's personal information. People have the right to access the personal information held by an organization. They also have the right to challenge its accuracy.

Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, it must obtain consent again. Personal information must be protected by appropriate safeguards.

There are three provinces that have their own consumer privacy regulation: Quebec, Ontario, and British Colombia. Similar to the U.S., these laws are the beginning stages of a national movement but don't create a consistent approach yet.

China

In Asia, China is the leader in consumer privacy protection. They have the Personal Information Protection Law (PIPL). The PIPL passed on August 20, 2021 and is the first comprehensive data privacy law in China based on China’s constitution. It went into effect on November 1, 2021 and has a major impact on all businesses operating in China.

Key points about PIPL include:

• PIPL includes far more reliance on notice and consent as a basis for processing personal data, including when it is shared with third parties.
• PIPL defines personal data as that which involves identified and identifiable natural persons.
• PIPL has a data breach notification requirement.
• PIPL requires workforce training.
• PIPL requires a Data Protection Officer (DPO). It is unclear which companies must appoint a DPO under the PIPL for now because the Cyberspace Administration of China (CAC) has yet to clarify the issue through the release of subordinate regulations.
• The PIPL has a prohibition on personnel responsible for violations from holding high-level management or DPO positions.
• PIPL requires data protection impact assessments (DPIAs) in certain situations.
• PIPL has a strong data localization requirement.
• PIPL recognizes a few different types of sensitive data than the GDPR.?
• PIPL requires a representative in China for foreign data handlers.
• PIPL has less stringent requirements for cross-border data transfer than the GDPR.
• Under PIPL, data breach notification must be “immediate”. It does not provide clarity on what the definition of immediate is as does GDPR.
• The PIPL has fines up to 5% of the previous year’s annual revenues or $50M RMB (approximately $7M USD), whichever is higher. It has an extraterritorial reach and strict cross-border data transfer requirements. PIPL is unclear about whether the fine is based on annual revenue in China or worldwide annual revenue.
• PIPL uses the terminology individuals, personal information handlers, and entrusted parties to describe the parties involved in data management.

Latin America

In Latin America, the leader in terms of establishing consumer privacy is Brazil. They have a regulation called Lei Geral de Prote??o de Dados (General Personal Data Protection Act) or LGPD. The LGPD was passed by the National Congress of Brazil on August 14, 2018 and came into effect on August 15, 2020. It is an attempt to unify the over 40 different statutes that governed personal data, both online and offline, by replacing certain regulations and supplementing others.?

Key points about the LGPD include:

• LGPD provides data subjects with nine rights, defines what constitutes personal data, and creates ten legal bases for the lawful processing of personal data.
• LGPD applies to any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located.
• LGPD states in various places that personal data can mean any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment.
• LGPD requires organizations to report data breaches to the local data protection authority.
• LGPD requires a Data Protection Officer (DPO). The DPO is responsible for the communication between businesses, the government, and data subjects.
• LGPD does not give any firm deadline for notification: it merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects… in a reasonable time period, as defined by the national authority.”
• Under LGPD, the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (approximately $10M USD).
• Under LGPD it defines nineteen terms associated with privacy data: personal data, sensitive personal data, anonymized data, database, data subject, controller, processor, officer, processing agents, processing, anonymization, consent, blocking, deletion, international data transfer, shared use of data, impact report on the protection of personal data, research body, and national authority.

As a CIO, data privacy will become more important over the coming years. According to Gartner , “by 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations”. You will be asked to balance the cost of implementing a privacy program with the risk associated with non-compliance. These risks can include immediate financial risks and long-term reputation risks. Getting to know these regulations and how they impact you and your business is the first step.

—————————————————————————————————————

Gartner is a leader in the space of data protection/privacy risk management. They have researchers who monitor and interpret data privacy regulations. They also advise clients on understanding what they need to know about these different regulatory standards. The Gartner advisory service allows you to submit context-specific questions related to your business and its specific scenario and have one-on-one conversations with experts like Bart Willemsen , Bernard K. Woo, MBA , Nader Henein , Jie Zhang , Claudio Neiva , and Katell Thielemann . Although they will remind you that they cannot provide you with legal advice, they can ensure that you understand where you should be focusing your efforts in working with your legal and compliance teams to successfully navigate this evolving world of data privacy.