Disclaimer: This blog post is not legal advice for your company to use in complying with data privacy laws like GDPR. Instead, it provides background information to help you better understand data privacy best practices. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.
In a nutshell, you may not rely on this as legal advice, or as a recommendation of any particular legal understanding.
GDPR instilled a catalyst of real change in 2018 — resulting in a permanent change of the data privacy landscape.
It forced companies to really take stock of their data and privacy responsibilities — and double down on the requirements to map out and account for their data practices and put processes in place to manage data and store it compliantly.
COVID-19 has also unleashed a new set of risks in relation to data privacy that companies are currently confronting.
Both significant events force a strong message to be delivered to companies that privacy and data protection should be of paramount corporate responsibility. The changes have impacted conversations around the world with different territories adopting GDPR as their standard in order to outline an internal compliance program.
Data privacy or, in particular, the application of tenets of privacy to data, is often seen as a massive hurdle to cross for an organization. Companies should embed processes as part of their culture and be willing to pivot in order to adapt to regulatory changes and technological advances.
Systemized processes using tools that are designed to instill compliance can set you up for success as well as continuing to educate internally can help with internal adoption and ensure that privacy is everyone's responsibility.
At HubSpot, we ensure that data privacy is top of mind and built into our practices and products. Upholding respect to the privacy of individuals who use our products is paramount to our corporate responsibility and internal business model. We are continuously identifying ways in which to improve processes to instill trust in our users and creating tools for our users to be compliant in their organizations.
Below are a few examples of how good privacy can be achieved in an organization.
Data Privacy Best Practices
Privacy Program Management
Setting yourself up for success in the privacy arena requires the establishment of a strong internal team, a united front that will continue to make data privacy and GDPR compliance a priority. Close collaboration on a strategic privacy program that outlines your privacy responsibilities is key to see your business scale compliantly.
Granularity and types of notices that are needed along with the scope of rights that you must provide to visitors under applicable laws depend on the territories where your visitors reside and it is up to you to demystify these and instill good practices in response.
The scope of domestic and foreign privacy legislation that one company may be obliged to comply with may look different than the scope applicable to another, as there is no "one size fits all" approach to data privacy.
Having a team in place to tackle what these mean to your organization and address compliance obligations can help you communicate your commitment to privacy in this area for your users.
Adopt the Use of Compliance Tools and Practices as Part of your Company Culture
Data privacy is not one person's responsibility.
By embedding it into your company's culture, it can make all employees feel invested in keeping company data safe and mitigate risk.
Creating ongoing training and communicating important regulatory changes to keep employees up to date is essential to see your privacy program a success. Charging your privacy team with ongoing monitoring of how changes can affect processes and implementing required changes ensures you are kept up to date with evolving legislation and ahead of any changes in responsibilities.
Did you know that ransomware attacks are often a result of a single compromised password? Doubling down on passwords is the most basic way to operate a good privacy program within your organization.
Identifying risks in this area is key and plugging the gaps that appear can be a constant battle.
For example, having inactive accounts present in your network from a former employee can be a fault that bad actors can take advantage of. It’s a good idea for your org to invest in pass-key software to help implement multi-factor authentication and add additional security to the systems you use to reduce risk in this area.
Using tools that are built with compliance in mind can automate much of these processes needed to affect your program management. These tools can monitor your data collection processes and allow you to implement changes in response.
Integration of third-party systems into this monitoring allows you to extend your privacy controls out into a vendor ecosystem. Automating your processes in relation to subject access requests allows you to be effective within the legal timeframe and generate responses to an individual and carry out your responsibilities when you have a 360 view of the data subject's data points.
Not only that, but you will be ready to meet any request from a regulator should they need information from you consolidated in one source, allowing you to comply effectively within the timeframe.
Privacy Does Not Stand Still — Keep Pace with Evolving Legislation and Technology
In the European Union, many consumers are actively making use of their data protection rights granted to them under the GDPR and the ePrivacy Regulation.
In the US and beyond, consumers now have higher expectations about online privacy and are starting to adopt GDPR standards. More and more consumers are now openly concerned about how their personal data is being handled by companies. The newly passed CPRA (amending the CCPA), Privacy Acts being launched in Washington and Virginia as well as similar legislation being rolled out globally in countries like Brazil, India, and China are testament to how territories are making moves to uphold data privacy at a local level.
Some of the latest significant legal developments that companies need to know about are:
- Standard Contractual Clauses (SCCs) — The European Commission adopted revised Standard Contractual Clauses for International Transfers on June 4, 2021. The revised version replaces those that pre-date the GDPR and are intended to be used for cross-border data transfers outside of Europe, including the US. Although these have an effective date in three months, businesses that are governed by existing SCCs have 18 months to enter into new SCCs or find another lawful means to transfer data.
- Colorado Privacy Act — This Act passed the state’s legislature on June 8, 2021. It will be the third US state - after California and Virginia - with a law that provides its residents with protections when it comes to their personal information.
- China’s Data Security Law ("DSL") — This law takes effect on September 1, 2021. Many of the practical compliance steps are still to be published over the coming weeks and months but organizations can seek to rely on the draft measures until they do.
Keeping abreast of what these legal developments mean to you and what you need to do with regard to your data in response, is your responsibility. You may need to make adjustments internally to comply and work with your teams to ensure that any privacy issues are addressed.
A thorough examination of what is incumbent on you, with adjustments to processes internally or systematically, has to be done to meet changes at both local and global levels. Making sure your processes are flexible for both and having the capacity to scale with your business with such developments is equally important.
As our operations become perpetually digitized, building a privacy-by-design company should be a key priority. Implementing a comprehensive and coordinated approach to data privacy can be challenging and time-consuming but setting it out as a strategic priority across all business activities driven by leadership, is a must for future-thinking organizations.
Organizations should understand and prepare for the reputational risks that extend beyond non-compliance with the myriad of data privacy laws and regulations. Being on the pulse of regulatory change in global privacy laws, keeping up to date with enforcement decisions, and making continuous improvements to privacy programs can help create a privacy-first culture that will set you up for success in the future.
You should be asking yourself some of these thoughtful questions to see if your privacy methods are currently up to standard. Unfortunately, the consequences of failure to improve on matters are not kind, but effectiveness in this area will reward you in the long-term improving your brand image as a trusted, privacy-first organization.