The Treadmill of Privacy in a Technological World
While privacy laws differ in their exact requirements, they all present similar challenges to companies under their jurisdiction. Businesses have to consider several significant challenges in their privacy strategy, including:
Continually Evolving Data Privacy Requirements by Jurisdiction
When the GDPR (General Data Protection Regulation)—the father of modern privacy laws—was passed in the EU in 2018, things got interesting. This was a comprehensive, far-reaching privacy law with legal teeth. The world began to pay more attention to privacy regulations at this point. As European officials began issuing significant fines for violating the GDPR, the world sat up and took notice. Privacy was serious business.
The GDPR inspired many similar laws throughout the world, most famously the CCPA (California Consumers Protection Act). Virginia, Maine, Nevada, and other states have since followed California’s example. Many privacy experts also expect the US government to pass a national privacy law, although it remains a hotly debated topic.
Businesses with customers abroad have to adhere not only to laws similar to GDPR, but also to the many less well-known regulations appearing around the world. Your marketing efforts may be subject to more requirements than you realize. And unfortunately, while simply updating your written privacy policy is a step in the right direction, it’s nowhere near enough. The GDPR alone places several broad requirements on businesses that require changes to software applications and processes:
- Lawfulness, fairness, and transparency
- Restrictions on purposes of processing
- Minimal data collection
- Strict data accuracy
- Limited time allowed to store data
- Integrity and confidentiality
Between these, and additional requirements placed on you by other applicable laws, you can quickly find yourself overwhelmed.
Capturing Consent Inputs with Sufficient Detail
Companies acquire information as part of everyday marketing activities. Sources of information include event registrations, service requests, web forms to access content, third-party applications and sources, etc. But the data collected from users on its own doesn’t provide the level of detail most companies need for privacy compliance.
Capturing inputs with sufficient detail means collecting information specifically for data privacy, including when, where, and how personal data is collected, processed, and stored. This information includes the purpose, time, source, activity, business unit, and system involved in the data processing activity. This allows businesses to ensure they document why personal data was collected so it can be handled transparently and ethically.
However, capturing and managing consent input details can be a challenge for businesses that operate across multiple systems and platforms. Standardized processes and systems can help keep data collection consistent across the organization. Additionally, appropriate technology and infrastructure helps to keep the data stored securely.
This is an excerpt from our white paper “Combining the Law & Technology for Data Privacy”. Download and read the full white paper for free here.