Perspectives

The implications of data privacy regulation and risk


In 2020, privacy finally became more of a hot-button issue. GDPR – or the European Union’s General Data Protection Regulation – was passed and the deadline for implementation was in 2018. As with Y2K – remember that – there was a lot of last-minute scrambling to ensure compliance. Integrated Media Strategies assisted its clients with reaching compliance. While the common conception is that GDPR and privacy regulation is only about digital materials, the law deals with data generally and how it is handled.

This extends to practices within organisations all the way to how paper records are stored and managed. In the US, despite California’s Consumer Privacy Act (CCPA), data and other online privacy regulation, is substantially looser than the standards imposed by GDPR.  Expect this to change.

Depending on the nature of an organisation and the technologies and platforms it uses will determine their exposure to risk regarding the data they hold and continue to obtain through their online and offline. There are a few key areas that need to be thought about:

  • How the private data was obtained – did you obtain permission to keep retain it?
  • How it is organised? Is it done in a manner making it simple to separate out information about a single individual, should they ask to be ‘forgotten’.?
  • How much exposure to the organisation is there in the event the organisation is hacked?
  • How many systems have access to the data and what is the access control to that data on each system?
  • What kinds of security practices?

Some of the work we have done has been on drafting of privacy policies, providing standard operating practices, helping identify areas of risk, and providing guidance on options regarding solutions.

With the impact of COVID-19 on the workplace, and the move to remote work, we have provided some guidance on some of the apps workers, clients and others are using to connect, such as the coming change in privacy terms by WhatsApp in which massive amounts of personal data will be routinely mined by Facebook during use of the app on an individual’s phone. This presents risks to organisations that state they will not share private data, only to find that contacts on employee phones that overlap with work are being shared with Facebook, which then monetizes that data.

Due to public pressure it is expected that legislation will be enacted that will impact data privacy in the US. As GDPR has demonstrated, it is usually more difficult to work backwards towards data privacy than to build it into day to day practices. Should your organisation need advice or assistance with working through the issues around data compliance, or if you are considering adding operations in the EU, contact us.

CONTACT US

Show comment form