6 takeaways on the future of data privacy

On May 21, experts from around the world on cybersecurity and privacy held a panel to discuss the effects of the General Data Privacy Regulation (GDPR) a year after it was enacted in Europe and what the coming regulations of the California Consumer Protection Act (CCPA) will look like.

While you may not be familiar with the law, the results have impacted how companies store and collect consumer data and has given users rights and access to their own data.

At the event, titled “European Privacy Invasion: GDPR One Year In, CCPA 6 Months Out”, four industry experts came to weigh in on the impacts so far and what we should expect going forward both as industry leaders and as consumers. They were addressing specific questions about these privacy laws and kicked off the conversation by stating the value of these privacy laws.

“GDPR announced itself to be a game changer, and it is” says Raz Miutescu, a technology and information governance attorney, “Unfortunately for some GDPR did not turn out to be a Y2K event, it turned out to be real.”

Held at the The Hotel at Arundel Preserve in Hanover, this event brought together Miutescu alongside three other industry experts including Gabrielle Zanfir-Fortuna, the EU Policy Counsel for the Future of Privacy Forum; Joyce de Jong, an experienced privacy lawyer from the Netherlands and Director of GDPR Consultancy at Audittrail Group; and Keith Moulsdale, an intellectual property lawyer who also co-chairs the Cyber Security, Information Management & Privacy practice at Whiteford Taylor & Preston.

A majority of the audience was made up of industry leaders who are concerned about the impact on their work and what more laws like this will mean for companies around the world.

Here’s a look at the questions they brought these questions to the panel, and the responses:

What are the consequences of these new regulations?

These new regulations can certainly be be a jolt but panic is not necessary. It comes down to responsibility and common sense, Joyce said. This new US law tends to be very specific, whereas EU law is broad and all-encompassing which is coming from the fact that privacy is a human right in Europe. At present, the authorities are providing a grace period.

How will U.S. Companies be impacted by this European law (GDPR)?

“There is some level of uncertainty in knowing whether they are no GDPR, indirect GDPR, and full GDPR,” Raz said. “From a business standpoint, for example, some of the questions you have to ask [include], ‘Are you looking to grow, expand to European markets, are you monitoring the behavior of users, do we need to profile or engage in behavioral analysis, is there a lower step that doesn’t fall into that category?’”

“The whole world is going in the direction [of compliance with these laws], so it’s critical to plan for what’s coming, not ignore that device bringing the regulation,” Raz said.

“It is a good idea to have a person responsible for privacy, compliance for example a DPO, or data privacy officer,” Gabrielle said. “In the EU, there are 500,000 DPOs that got a job as a result of GDPR. All public bodies in the EU need to appoint a DPO, private companies need to appoint DPO if you engage in large scale systematic monitoring or large scale processing of sensitive data,” such as health, biometric, religion, sexual orientation and more.

What policies should other governments and agencies be writing? How many and which ones to focus on?

“There is no perfect number of policies, but these privacy statements, are about transparency and being concise, short and clear both externally and internally,” Joyce said. “Transparency is about making it clear to your average consumer. We see the example of Google who was fined 50M Eu for not being clear in their transparency policy. This is a case where small print is not going to help your organization.”

How do you help clients/companies move towards compliance?

“We usually start with data mapping,” Joyce said. “How granular should an organization get depends on many factors which is why we are creating the data map: we have to answer these basic questions: Are we concerned about the numerous data breaches that occur? Who’s touching our data? Do we need all this data? What do we do in the event of an incident?. Data map is the backbone and framework of GDPR compliance.”

How is the CCPA similar to the GDPR and should we expect to see more policies like this over time?

“CCPA borrowed some elements from GDPR and it becomes applicable in January 2020, enforcement postponed for 6 months. It covers personal information which is very well defined,” Gabrielle said. “It’s also similar to GDPR also in that it sets rights to data, a copy of information, data portability, and erasure. The key differences are that the CCPA provides a threshold for company size so that small business have exemptions. It also does not apply to nonprofits, doesn’t require businesses to justify collection and use of data, and there are also virtually no limits on collection with exception of children data. Consumers also have a right to opt-out of data sales via an ‘Do not sell my data’ link.”

“To add on to that, unlike the GDPR which applies to all EU, CCPA applies to residents of CA,” Raz said. “Assuming you are doing business in CA, the threshold question is: Are you doing business in CA? If so, are your gross revenues annually (globally) over 25M? Are you buying selling receiving information about Californians, 50,000 connected devices/persons. IoT also counts toward these devices, if 50% of your revenue comes from selling data in California.”

How is enforcement happening for the GDPR and how will CCPA be enforced? Do EU regulators have the capacity to enforce regulation and what are the chances a US company gets fined?

“A big part of GDPR enforcement is not fines, but that they can order erasures of data and stoppage of processes, for example in Europe, for example Timo had to erase 3 years of their data. And another part of enforcement is individual cause of action,” Gabrielle said. “…American companies love data, it’s definitely tough dealing with that but as these regulations come to the US, starting with the CCPA, Maryland’s cybertech, IoT and data-based companies will be helping lead the way for privacy regulations nationwide.”