Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or legislation. Privacy compliance has become a prevalent business concern due to an increasing number of high-profile regulations, including the European Union's (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), designed to protect unauthorized access to personally identifiable information (PII).
Past and current privacy laws
The EU Data Protection Directive, also known as Directive 95/46/EC, was adopted in 1995. It was designed to protect the privacy and security of all personal data collected for or about EU citizens, especially as it relates to processing, using or exchanging such data. These data protection rules applied not only when responsible parties are established or operated within the EU, but also when the controller used equipment located inside the EU to process personal data.
Privacy compliance reentered the spotlight in 2013 when former National Security Agency (NSA) contractor Edward Snowden leaked details surrounding a previously undisclosed surveillance program called Prism. Details of the Prism program's scope drew controversy due to the program's violation of rules such as the safe harbor policy agreement established by the United States and the EU in 2000 to regulate the ways in which U.S. companies export and handle the personal data of European citizens. Privacy compliance also gained widespread attention after hacks of customer information at large retailers, including Target Corp. in 2013 and Home Depot in 2014.
GDPR updated and unified data privacy laws across the EU, replacing the Data Protection Directive. It was approved by the EU Parliament on April 14, 2016, and went into effect on May 25, 2018.
GDPR focuses on expanding the data privacy rights of consumers and includes mandates to make businesses more transparent with customers about how they use their personal data. Under GDPR, complying companies are required to notify all affected parties and supervising authorities within 72 hours of a data breach.
The CCPA was signed into law by Jerry Brown, the then-governor of California, on June 28, 2018, and went into effect on Jan. 1, 2020. The CCPA provides California residents the right to know what data is being collected about them, whether that information is sold and the ability to refuse that data being sold. The CCPA also stipulates consumers have access to their personal information collected by compliant companies.
Other states and countries are moving forward with privacy compliance rules based on industry and types of data collected. In 2018, Vermont enacted a law requiring data brokers to disclose to individuals exactly what data is being collected, as well as enable them to opt out of this data collection. Australia, Argentina and Canada have also established comprehensive data privacy laws at the federal level.
Privacy compliance challenges
Many modern companies collect copious amounts of complex data as part of everyday operations and rely on analytics of this information to run the business. This type of data collection creates challenges for privacy compliance processes, starting with proper business data identification and classification to determine which regulations apply.
Large global companies face challenges such as determining which international laws apply to them and then developing data governance rules and deletion schedules accordingly. Companies must implement the appropriate infrastructure, management and workforce to keep data compliant throughout its lifecycle. This can be a drain to company resources as data governance processes are revamped, roles are redefined and legal consultations increase to accommodate compliance rules. Smaller companies face privacy compliance challenges as well, most notably the drain on information technology (IT) and legal resources that might be ill-equipped to handle complex regulatory compliance mandates.
Privacy compliance can be a business differentiator for modern companies. Those accused of violating data privacy rights risk significant hits to the company's reputation and customers' trust.
Maintaining privacy compliance
Organizations should develop information governance programs, data privacy policies and employee training programs to help achieve compliance with regulatory mandates. Detailed, documented information governance programs that include data privacy policies also help ensure proper response in the event of a breach, as well as provide necessary documentation during regulatory audits and investigations.
These information governance programs should include processes to inventory personal information and establish procedures to keep this data private, while also making it available should the customer request it. Companies should also keep detailed documentation of their accordance with any relevant compliance rules, which will be necessary if a legal or regulatory incident occurs.
As privacy compliance continues to be a top concern for corporate management, companies are turning to specialized software and consultancies to ensure personal information protection. Some companies choose to institute a chief privacy officer (CPO) position or expand the role of the chief compliance officer (CCO) to include the development and implementation of policies designed to protect employee and customer data from unauthorized access.