The virus that made us Virtual

Jorge Vazquez, Safety Director at MAREK

The virus that made us Virtual

Building the Case for DE&I in Construction

Kathleen Dobson, Safety Director, Alberici

Building the Case for DE&I in Construction

Enterprise AI: How to Meet the Challenges

Dr. Anand S. Rao, Global AI Leader, PwC

Enterprise AI: How to Meet the Challenges

The Changing Privacy and Regulatory Landscape

Richard Mendoza, Senior Director, Data Privacy & Regulatory Compliance at Realogy

The Changing Privacy and Regulatory LandscapeRichard Mendoza, Senior Director, Data Privacy & Regulatory Compliance at Realogy

The General Data Protection Regulation (GDPR) enacted in 2018 in the EU changed the face of Data Privacy not only in Europe but the world. This sparked a paradigm shift in how nations globally process, transmit, and store personal information. The social media explosion experienced across the world provided people a vehicle to share and post information about themselves and their lives. This was great for these platforms as it created endless free content, but laid the groundwork for a great reckoning starting with the GDPR and domestically with the enacting of the California Consumer Privacy Act (CCPA).

The Data Privacy principles engrained in several regulatory measures governing users personal information provided data subject rights and recourse for information being used outside of how it was collected, stored longer than needed, and being sold to marketers. The client/consumer “bill of rights” concept has put the data subject back in control of their personal information. Organizations have been hoarding consumer data for decades and are now being forced to shift their policies, procedures and culture and the shockwaves are massive. Most organizations are not positioned to handle the subsequent requests and tasks associated with these laws and with many states jumping on the GDPR/CCPA principles, it is straining budgets and shining a light on the immaturity in his space.

Another major change is the move away from Personal Identifiable Information (PII) to Personal Information (PI).

The importance of this shift in thinking cannot be understated, and its tentacles touch every aspect of the privacy and public sectors. The midshaft to the realization that every data point about the “natural” person needs to be protected to its highest levels is earth-shattering. We have been told for years that if the data was not your social security number, driver's license, or credit card number you have nothing to worry about. This is no longer true in this new millennium, and your email address if released could pose harm to a person, and it must be protected.

Finally, what is the recourse of states if you decide to disregard these regulatory controls? Well…, the punitive damages can be severe, but the potential private right of action could put your organization in a never-ending hamster wheel of litigious activity. The ultimate costs of the fines, legal discovery, and remediated could push into the millions. If you think that sounds bad, it gets worse! Many states are using these new laws as potential revenue generators, and with the financial impact of Covid-19 being felt in every sector, states are looking for ways to fill those budget gaps. What better way than to do it under the guise of protecting people's data.

"The midshaft to the realization that every data point about the “natural” person needs to be protected to its highest levels is earth-shattering."

How do we safeguard ourselves and place our organization in a defendable position when the regulators come knocking? I have a few suggestions which can assist you in this journey. Remember, there is no perfect approach to solve this problem, but these steps will position you and your organization to respond to an inquiry.

Tentacles touch every aspect of the privacy and public sectors. The midshaft to the realization that every data point about the “natural” person needs to be protected to its highest levels is earth-shattering.

We have been told for years that if the data was not your social security number, driver's license, or credit card number you have nothing to worry about. This is no longer true in this new millennium, and your email address if released could pose harm to a person, and it must be protected.

Finally, what is the recourse of states if you decide to disregard these regulatory controls? Well…, the punitive damages can be severe, but the potential private right of action could put your organization in a never-ending hamster wheel of litigious activity. The ultimate costs of the fines, legal discovery, and remediated could push into the millions. If you think that sounds bad, it gets worse! Many states are using these new laws as potential revenue generators, and with the financial impact of Covid-19 being felt in every sector, states are looking for ways to fill those budget gaps. What better way than to do it under the guise of protecting people's data.

How do we safeguard ourselves and place our organization in a defendable position when the regulators come knocking? I have a few suggestions which can assist you in this journey. Remember, there is no perfect approach to solve this problem, but these steps will position you and your organization to respond to an inquiry:

Encrypt data in transit/at-rest

Mask/obfuscate PI in unsecured development regions.

Have a process and infrastructure to respond to data subject access requests

Delete data after its usefulness has ended, and do it automatically

Have evidence of your controls. Trust but verify!

Doing these things along with other proven data security techniques should provide your organization with a defendable approach in the event of a regulatory matter.

Read Also

Jumpstarting a Smart Region

Jumpstarting a Smart Region

Jon Walton, CIO, County of San Mateo
Changes in Technology are Crucial for an Organization

Changes in Technology are Crucial for an Organization

Chris Laping, CIO, Red Robin Gourmet Burgers
Four Reasons Why You Need A Third-Party Security Assessment

Four Reasons Why You Need A Third-Party Security Assessment

Jeff Cann, CIO, Encore Electric, Inc.
Creating a Tangible Impact through Collaboration

Creating a Tangible Impact through Collaboration

Matt Schlabig, CIO, Worthington Industries
follow on linkedin follow on twitter 2021 All Rights Reserved | by: constructiontechreview
Top