A better approach to dataprivacy is to view it as an overall framework and adopt a holisticresponse to compliance with the built-in flexibility to constantlyadapt to an ever-changing legal landscape. (Photo: ALMArchives)
The landscape of data privacy lawhas changed significantly over the last five years. With theGeneral Data Protection Regulation (GDPR) goinginto effect in the EU on May 25, 2018, data privacy complianceobligations forever changed for companies around the globe. For thefirst time, companies had to recognize new rights for consumersregarding their personal and sensitive data or face seriouspenalties.
|The new legislation to impactdata privacy obligations, the California Consumer Privacy Act (CCPA), tookeffect on January 1, 2020. Yet again, bankers, insurers and otherbusiness representatives are rushing to review and adapttheir compliance measures. And with no fewer than 16 additionalprivacy laws currently under consideration in states across thenation, companies need to be positioning themselves for ongoingcompliance as the new way of doing business.
|Rather than trying to institutechanges to comply with every new privacy law as it emerges, abetter approach is to view data privacy as an overall framework andadopt a holistic response to compliance with the built-inflexibility to constantly adapt to an ever-changing regulatorylandscape. By doing so, insurance companies and agents may be ableto avoid data privacy errors, or at least reduce claims in theevent of CCPA-related litigation.
|Data privacy laws affirm consumers' control of personaldata
While the specific requirementsof the various privacy laws may differ slightly, the existing laws,and those to come, share the same underlying drive for increasedprotection of data and consumer rights. Lawmakers are now givingconsumers greater control over their information, particularly assome of the world's largest corporations have experienced massivedata breaches or been accused of improper use of data.
|The passing of the GDPR and CCPAhas handed consumers new powers of ongoing ownership of data andincreasing awareness of its value. Those responsible for buildingand maintaining data management systems that are compliant with data privacy laws shouldapproach decisions with the aim of thorough and broad support forconsumers as data owners.
|Right to Know
|Under both the GDPR and the CCPA,individuals have the right to know exactly what data companies havecollected about them, as well as why it's collected and anyone withwhom it will be shared or sold. As a result, companies need to haveclearly stated privacy policies that explicitly outline what datais being collected and for what purpose.
|Right to Opt-Out
|The GDPR offers consumers theright to restrict the processing of personal data, and the CCPAoffers a specific opt-out on the sale of personal data.
|Data Portability
|The GDPR specifically requiresthat organizations have the ability to provide a consumer withindividual personal data upon request or to a second datacontroller.
|The CCPA does not enumerate anexplicit right to data portability, but on request, a consumer hasthe right to receive personal information delivered by mail orelectronically. If delivered electronically, information must beportable and in a readily usable format.
|Right to be Forgotten/Right to Deletion
|Both the GDPR and CCPA, as wellas many new data protection regulations on the horizon, requireorganizations to delete personal information upon consumer requestor when that data is no longer needed to conductbusiness.
|Know your data
Once you're confident in yourdata collection and storage processes, it's crucial to get to knowyour data — what you have, where it is and how it's stored.Compliance with GDPR or CCPA obligations is nearly impossible ifyou can't efficiently access the entirety of your data exactly asneeded.
|Trying to organize data acrossdisparate systems and platforms is a losing battle for mostcompanies. Instead, you need to store and be able to access yourdata according to its owner, origin, location, governing regulationor other relevant criteria. The best way to achieve that goal is bycreating data maps and maintaining them as your universe of datagrows and changes.
|Data mapping is the mosteffective way to standardize your data across all your globalsources so you always know exactly what you have and where it is ifyou need to get to it in order to comply with privacy regulations.Data mapping will also tell you who is using your data, how andwhy, as well as if or when a particular piece of data was moved ordestroyed. AI-powered solutions can capture the necessaryinformation to create a comprehensive data map in far less time andwith far greater accuracy than manual processes allow. Data mapsput you in an optimal position to comply with GDPR and CCPAprovisions that require you to always be able to demonstrate thatyou know your data and have a process for properly handling itthroughout its life cycle.
|Know your data processes
The more data you have, the morechallenging it becomes to maintain a clear, updated picture of whoowns, controls, manages or can access any given piece of thatdata.
|To be in full compliance withapplicable privacy laws, companies need an effective way ofhandling new data in order to identify the date of consumer consentfor collection, the method of consent and records of any requestsfor access to that data, restrictions on it or deletion of it. Theinsurance industry has a particularly complex challenge in the waywe process, store, and manage personal data. The risk arises wheninformation is shared between claimants/their advisors, brokers;insurers and other parties, such as medicalprofessionals.
|A good solution is to develop asystem that will analyze all your data so you know what is there,where it is, why and how it was collected, how it has been or willbe used, how long you intend to keep it and to whom it's sold orshared.
|Today's AI-powered solutionsexist to help companies organize their data by source and transformit into a usable form that provides all the consent and accessinformation the laws require. Systems that incorporate machinelearning and other technologies have the ability to sort throughmassive volumes of personal data to efficiently identify andorganize it in a way that manual processes could never match,showing clear proof that companies are meeting their dataprotection obligations.
|Control access to personal data
Given that the data protectionlaws are aimed at ensuring data subjects' privacy, it should comeas no surprise that all the major data privacy regulations havestrict requirements regarding who should be accessing the data andfor what purpose. The GDPR and other regulations require companiesto maintain clear records of their data processing activities, andthat includes who had access to personal data, who was involved inthe processing of that data and what the intent of the processingwas.
|The best way to meet yourcompliance obligations is to always know who has the ability toaccess your data and restrict that access to only those employeesresponsible for data processing and upkeep. Furthermore, thatrestricted list of employees should be fully trained – andregularly retrained – on your company's compliance obligationsunder the various data privacy laws.
|Establish data maintenance procedures
Once you understand thefar-reaching obligations of the GDPR, CCPA and other privacyregulations, it's important to implement data maintenance procedures that are broadenough to comply with all of them, not just each new one as it goesinto effect.
|First, you need clearly definedroles for data handling and management, with support from thehighest levels of the organization. Under the GDPR, with a fewexceptions, companies must appoint a data protection officer toperform certain key data maintenance tasks, report to managementand be accessible when data subjects have questions or requestsregarding their personal information. Companies should alsoestablish larger, cross-functional teams that are responsible forestablishing organizational policies for data protection, whichshould include new employee training, ongoing retraining andquarterly audits to ensure that policies are beingfollowed.
|In addition to auditing yourinternal processes, you should regularly audit your third-partypartners and vendors that might have access to your data and ensurethat their procedures are also in compliance. Third parties are apotential point of exposure, and their access to your data – evenessential access – can create serious security implications.Knowing where your data is at all times includes keeping tabs onwhich third parties have access to it and what they're doing withit.
|Finally, you should continuallyreview and revise the notices on your website that tell datasubjects how, when and why their data is being collected, theirrights to opt out or have their data deleted and how long you planto keep the data. Given the serious regulatory implications ofhandling personal data, you should never hold on to more data thanyou need or keep data longer than is essential. Store only the datathat's necessary to do business – the last thing you want is to befound noncompliant for data you don't even need.
|Take a holistic approach to secure personalinformation
The requirements of the variousprivacy laws are extensive, and while they overlap in large part,each law has its own nuances that can be difficult to track. Forthis reason, the most effective plan is to incorporate a holisticapproach that adopts extensive security measures as the establishedway of doing business – what the GDPR refers to as data protectionby design and default.
|Incorporating top-notch datasecurity measures is the best way to protect your organization'sbusiness data while at the same time safeguarding consumer data asrequired by law. Data should always be encrypted, stored in thesame way and archived or deleted according to your establishedprocedures. Your company should constantly monitor for malware andother cybersecurity threats, and all apps, software and systemsshould be regularly updated to eliminate unnecessary securityrisks. Private or third-party cloud hosting is one effective way toensure encryption and the ability to monitor data handling at alltimes.
|Employee training and communicationensure compliance
Employees are your first line ofdefense in the personal data protection effort. In most companies,employees in sales, marketing, customer support, accounting andother departments have contact with consumers and theirdata.
|Though neither the GDPR nor CCPAspecifically calls out employee training requirements, thedevelopment of a knowledgeable, privacy-aware workforce isimperative. An effective training program can include data privacylaw education, internal data protection policies and processes,cybersecurity awareness and incident response planning. With thisapproach, the organization will be better prepared for holisticcompliance with the data protection regulations of the GDPR, CCPAand any future state and global data privacyregulations.
|Tomas Suros[email protected] is a technologyadvocate working at the intersection of IT and client consulting.With AbacusNext since 2004, he currently serves as chief solutionsarchitect, guiding firms through the process of identifyingforward-facing technology options and ensuring the successfulimplementation of a tailored solution.
|Related:
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
- Educational webcasts, resources from industry leaders, and informative newsletters.
- Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
