When it comes to managing cybersecurity risk, approximately 35 percent of organizations say they only take an active interest if something bad happens. But in order for businesses to maintain compliance with major privacy laws, they have to have security measures in place before an attack. The regulations from GDPR, PIPL, and CCPA are especially prevalent to MSPs and software vendors because they get access to data from so many organizations, but all businesses need to comply with them.
Compliance Overview
- PIPL Compliance
- CCPA Compliance
- GDPR Compliance
- How to Stay Up to Date with Changing Compliance Regulations
PIPL Compliance
Chinaâs new data privacy law just went into effect in November 2021. Hereâs what you need to know.
What is PIPL?
Chinaâs Personal Information Protection Law (PIPL) is legislation that aims to outline and protect appropriate uses of personal data. PIPL provides a protection framework for the data of Chinese citizens. It defines sensitive personal information as âpersonal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individualsâ whereabouts, as well as personal information of minors under the age of 14â (Article 28).
Also Read: Chinaâs Data Privacy Law Poses Challenge for International Companies
Who Does PIPL Affect?
PIPL affects businesses located in China, that do business in China, or store the personally identifiable information (PII) of Chinese citizens. If the organization is planning to transfer data across borders, it must let the affected individual know, ensure that the receiving entity can provide the required privacy protection, and perform an impact assessment on possible consequences of the transfer.
Also Read: Top 9 Data Loss Prevention (DLP) Solutions
PIPL Compliance Checklist
If your business is affected by Chinaâs PIPL, here is what you need to stay compliant:
- A dedicated representative in China. If your organization isnât located in China but holds data on Chinese citizens, you must establish either an office or designated representative in China and register that information with the appropriate government officials.
- A lawful basis for the information you gather and use. PIPL includes several lawful reasonsânecessary for a contract, legally necessary, related to an emergency, related to public interest, or previously disclosed dataâthat businesses can gather and use data without the consent of the individual. If none of those are applicable to you, then you need to get consent from each person youâre keeping data on.
- An incident response plan. Data breaches are an unfortunate reality of doing business in todayâs technology-based world. You need to have an incident response plan in place to quickly identify and resolve the breach and then notify the affected parties.
- Detailed privacy notices. Before storing or processing PII, you must offer individuals detailed privacy disclosures that explain why you need the data and what you will use it for. It should also include how you plan to process the data and the contact information for the data controller in case the individual has questions or concerns.
- The chance for each individual to remove their consent. If youâre currently storing data on individuals that havenât given their consent and it doesnât fall into one of the appropriate use categories, you need to give those people the option of withdrawing their consent. Additionally, individuals who have given their consent should be able to reverse that decision at any time.
Also Read: Top GRC Tools & Software
CCPA Compliance
Californiaâs data privacy act has been in effect since the start of 2020.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a law that offers individuals more control over their PII and how businesses can use it. It gives consumers the right to know what information businesses are storing on them and how those businesses are using and sharing the data, to delete their PII from a companyâs database, and to bar a business from selling their personal data. CCPA defines personal information similarly to PIPL and includes name, social security number, biometric information, and internet browsing history.
Who Does CCPA Affect?
CCPA affects any for-profit organization that conducts business or serves consumers in California and meets one or more of the following criteria:
- Has a gross annual revenue of more than $25 million
- Handle at least 50,000 records of California residents, households, or devices
- Receives 50 percent or more of their annual revenue from selling the personal information of California residents.
However, the rights outlined in the CCPA only apply to residents of California, even if theyâre not in California at the time of the request. Nick Halsey, CEO of Okera, explains, âThis combination of various state-based regulations and variables can imply a more refined data access policy, placing a new layer of requirements on governance systems. The policy, no longer static, must react to certain variables in real-time. In 2022, we will see increasing pressure on enterprises and vendors to put the tools in place that enable real-time, state-based policy enforcement.â
Also Read: CCPA Compliance Checklist & Requirements
CCPA Compliance Checklist
If your business meets any of the above criteria, these are the things you need to remain compliant:
- Full visibility into the data your organization has and collects: Businesses collect a ton of data in both structured and unstructured formats, and while they can easily search their structured data to find out what they have, unstructured data isnât that easy to parse. Organizations need to understand all of the data they store and collect as well as where theyâre storing it.
- Categories for all of your organizationâs data: Not every piece of information will be relevant to CCPA and require the same level of security. Categorizing your data ensures that youâre keeping necessary information for the appropriate length of time and providing the required security.
- Remediation plans for different scenarios: Obviously, you donât need to launch a full incident response if someone asks you to delete their data, but you do need to have a standardized remediation plan in place. Youâll need to create plans for each of your data categories to abide by relevant compliance requirements.
- Clear policies on data governance: Tell your consumers why you need their sensitive information, what you plan to do with it, and how youâll store it. You also need to train your employees extensively on these policies, so they know what they can and canât do with the data you collect.
- Easily accessible Subject Rights Requests: The CCPA allows California residents to request information about how their data is being used, and your company has to make these requests simple for consumers. The law also dictates that organizations have to acknowledge each request within 10 days of receipt and fulfill it within 45 days, so you need an efficient system in place to receive and act on these forms.
Also Read: Best Incident Response Tools and Software
GDPR Compliance
Europeâs privacy protection law went into effect in 2018.
What is GDPR?
The General Data Protection Regulation (GDPR) is legislation that protects the data of citizens in the European Union (EU). Itâs likely the strictest data privacy law in effect today, and, for the most part, if youâre compliant with GDPR, youâre likely compliant with other data protection acts. The GDPR website defines personal information as âany information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if itâs relatively easy to ID someone from it.â
Who Does GDPR Affect?
GDPR affects all organizations that conduct business in the EU, serve citizens of the EU, or track and record data of people in the EU. However, organizations with fewer than 250 employees are exempt from some of the rules of GDPR. The documentation states that the data protections outlined in the first two paragraphs, âshall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10â (Article 30.5).
GDPR Compliance Checklist
Hereâs what you need to comply with GDPR if you have more than 250 employees or meet the criteria listed above:
- Clear categories for the data you store: You need to separate the data you collect into categories and outline specific reasons for collecting each type. The records of these categories should include the name and contact details of each processor and data controller and information on and data transfers.
- A detailed list of what you use data for: This list should include records like the name and contact details of the data controller and data protection officer, the reason for processing the data, a description of how you categorize your data, who has access to the data both internally and externally, and a description of the security measures you have in place to protect the data. This list should be in writing (or electronic form) and available if requested by a compliance officer.
- A legal justification for processing the data: Article 6 of GDPR outlines the lawful justifications for processing data, including but not limited to consent from the individual the data belongs to, processing due to a contractual basis, and for matters of public interest. If consent is your justification, youâll need to make it easy for your data subjects to revoke their consent at any time.
- A comprehensive privacy policy: You need to tell your consumers that youâre collecting their data, what youâre using it for, who can access it, and how youâre protecting it. Users should have access to this privacy policy every time you collect their data, and it should be easy to read and understand.
- Internal security policies and remediation plans: Under GDPR, you must be cognizant of data security any time you handle someone elseâs data. PII should be encrypted or anonymized whenever possible, and you need to train your employees extensively on data security, especially if they have access to personal data. Perform impact assessments when making changes that affect your data, and have a plan in place for notifying relevant authorities or individuals when you have a breach.
- A designated GDPR compliance officer: This should be an internal employee well-versed in the requirements of GDPR, and they should be encouraged and able to evaluate data processing policies and make changes where necessary. Depending on your business category, you may also need a data protection officer. And if your business is located outside of the EU, you will also need to appoint a representative located in the EU.
- Signed data processing agreements with third parties: If you work with other organizations that are going to get access to your stored personal data, youâll need to sign an agreement that outlines each partyâs responsibilities regarding GDPR compliance.
- Easy access for your customers to their data: If youâre collecting personal information, you must make it easy for consumers to find out what information youâre storing on them, update inaccurate or outdated information, request that their PII be deleted, request that you stop processing their data, request a copy of their personal data, or object to you processing their data. Also, if you use automated processes to make decisions about people, your customers should be able to request human oversight or challenge the decision.
How to Stay Up to Date with Changing Compliance Regulations
New data privacy compliance regulations come out from time to time, especially as the way companies process data changes, so compliance can be difficult for many organizations. However, because GDPR is so strict, most companies can get away with following those procedures and be covered under many other regulations, including CCPA and PIPL. Itâs important to have a compliance officer within your organization that can help you stay up to date with changing regulations and adjust policies as needed.
Read Next: Top GDPR Compliance Security Companies & Solutions 2022