Top privacy tips of 2020
In 2020, we saw the California Consumer Protection Act (CCPA) become effective; the EU-US Privacy Shield invalidated as a transfer mechanism under the General Data Protection Regulation (GDPR); and more than 30 state privacy bills introduced during the 2020 legislative session. Privacy requirements at local and international levels are becoming more stringent, and consumers’ privacy concerns are at an all-time high. Here are our 2020 top privacy tips to keep you and your business on regulators’ and consumers’ “nice” list into the New Year.
Train your employees
Employees were the leading source of security incidents in the US in 2020. Providing periodic privacy and security training is essential to combatting data breaches and protecting customers’ data. If your employees handle personal data, they should be trained on key privacy terms; the general requirements of data privacy laws like the CCPA and the GDPR; and company policies and procedures for keeping personal information safe.
Map out your data
Companies must understand what data they are collecting, how it is being used and with whom they are sharing it to comply with privacy regulations, respond to consumer requests and manage risk. Investing time and money in a data map that shows all data entering the company and its path around and out of the organization will prove invaluable when managing vendors; responding to access and deletion requests; and identifying cross-border data transfers subject to international privacy laws.
Choose your third-party vendors wisely
You likely use dozens of third-party vendors to assist in collecting, storing, and analyzing customer data. Before engaging a new vendor, review its privacy and security policies to ensure the vendor places as much value on data privacy as you do. Typically, you should sign a data privacy agreement with vendors detailing their privacy and security obligations.
Utilize Facebook’s LDU feature
To support CCPA compliance efforts, in 2020, Facebook introduced a new feature allowing businesses to limit how Facebook uses your customers’ data. When a business applies Facebook’s LDU feature, Facebook will be prevented from using your customers’ data for its internal purposes. According to Facebook, you can transfer customer data to Facebook without the transfer being considered a sale of information under the CCPA.
Conduct data protection impact assessments
The GDPR first introduced the concept of a data protection impact assessment (DPIA), requiring companies to assess risk associated with new projects that are likely to involve a “high risk” to individuals’ personal information. Regardless of whether your company is subject to the GDPR, conducting a DPIA before beginning a new project can help your company better understand the privacy and security risks and take measures to decrease or eliminate risks prior to implementation.
Encrypt sensitive data
Most state data breach laws have a safe harbor under which a company is not required to notify customers or authorities of a data breach if the lost data was encrypted and the decryption key was not compromised during the breach. Consider encrypting all databases holding sensitive personal information like credit card numbers, bank account numbers or Social Security numbers to take advantage of safe harbor provisions.
Implement a data retention plan
Data minimization is a fundamental privacy principle found in almost all data privacy and cybersecurity regulations. Creating and implementing a data retention plan is essential to lowering storage costs and minimizing security risks. Remember, you can’t lose data you don’t have. To retain certain data for analytics purposes after the retention period has expired, consider anonymizing the data so it is no longer subject to data privacy laws.