Data Privacy – Q&A from WipFli
This is a guest blog post from our friends at WipFli
Data Privacy is important regardless of industry, whether it be healthcare, financial services, or manufacturing. Due to the rapid acceleration of data gathering and storage in the past decades, new data concerns for both users and owners of data are more prevalent now than before. This leads to the questions; what is Data Privacy, and do I need to be concerned about it?
What is it?
At its core, Data Privacy is the consideration of a company’s use of Personally Identifiable Information (“PII”) data, including the organization’s responsibilities over that data, how it was obtained, on what and who it was collected about, how it is stored and secured, and how it is disposed of. This wholistic view of an organization’s data ecosystem requires a robust approach to consider and implement a data privacy program effectively. But why do we need to worry about Data Privacy anyways?
Why does it matter?
Data Privacy concerns are driven by regulatory requirements, so foremost a company must abide by these to avoid paying fines and penalties for noncompliance. These penalties can vary but are consistently steep. The cost of non-compliance for the California Consumer Protection Act (“CCPA”) is $2,500 per violation, and $7,500 if the violation is proved intentional. Keep in mind this is per violation, so a company would be liable for $25,000 if 100 users’ data was compromised. The fines for violating General Data Protection Regulation (“GDPR”) are steeper, and on the lower end can cost 2% of a company’s prior year annual revenue or €10 million, whichever is higher. In 2019, Google was fined with a €50 million, the biggest fine to date.
Background on Regulatory Requirements
The conversation on Data Privacy was catapulted when the GDPR was passed in the European Union (“EU”) in 2016. The law requires companies doing business within EU member states to abide by a set of data protection standards with the aim of protecting an individual’s data and simplifying data regulations. The passage of this law prompted states in the US to begin considering similar regulations. While there is not a unified federal Data Privacy law passed yet in the US, there is a patchwork of state laws already in effect that may impact your organization. This includes the well-known CCPA and New York Privacy Act, which both build upon and expand the framework laid out by the GDPR. Other states, such as Virginia, Nevada, and Vermont, are moving to pass their own versions of these laws in 2021.
With the increasing number of states moving to pass these types of laws, and the clear risks of not abiding by them, now is the time to begin understanding if these laws will apply to and impact your business.
What Can We Do Now?
Organizations can take several steps today to prepare themselves for upcoming compliance with Data Privacy:
- Perform a data inventory to determine what types of data is used and how they are stored. Determine if there are legal requirements around this data, such as retention and storage.
- Create a data flow diagram to understand how data is being transferred and where it resides within an organization. Use this exercise to ensure there are adequate data security controls at each stage.
- Review and test incident response procedures. Key capabilities for data privacy include detecting the misuse of data, containing the incident, and notifying the appropriate parties.
Need help understanding data privacy’s impact on your organization?
If you have questions on or need assistance with understanding the impacts of data privacy on your organization, contact Wipfli. To reach out to Wipfli for questions or additional assistance, click here.
Also, in honor of October as Cyber Awareness Month, click here to access Wipfli’s 30 tips in 30 days articles, all aimed at helping you stay safe in the electronic world. You may click here if you would like to sign up for additional e-communication from Wipfli.