Disclaimer of liability: This blog post is not intended to provide legal advice for your company on compliance with data protection laws such as the GDPR. Instead, it provides background information to help you better understand data protection best practices. This legal information is not the same as obtaining legal advice, where an attorney applies the law to your specific circumstances. Therefore, we insist that you consult an attorney if you want any advice on your interpretation of this information or its accuracy.
In short, you must not rely on it to be legal advice or a recommendation of a particular legal understanding.
GDPR instilled a catalyst for real change in 2018 – resulting in a permanent change in the privacy landscape.
It forced companies to take a real inventory of their data and data protection responsibilities – and to double the requirements to map and account for their data practices and put in place processes to manage data and store it in a compliant manner.
COVID-19 has also sparked a number of new privacy risks that businesses are currently facing.
Both significant events compel companies to send a strong message that privacy and data protection should be of the utmost corporate responsibility. The changes have impacted conversations around the world with various territories that have adopted GDPR as their standard to outline an internal compliance program.
Data protection or, in particular, the application of data protection principles to data is often viewed as a massive hurdle for a company. Companies should embed processes as part of their culture and be ready to adapt to regulatory changes and technological advances.
Systemized processes that use tools designed to convey compliance can prepare you for success. Plus, you can get in-house training to foster internal acceptance and ensure privacy is everyone’s responsibility.
At HubSpot, we make sure that privacy is a top priority and built into our practices and products. Respecting the privacy of those who use our products is of the utmost importance to our corporate responsibility and our internal business model. We are continually looking for ways to improve processes to instill trust among our users and we are creating tools to help our users conform within their organizations.
Below are some examples of how good privacy can be achieved in an organization.
Data protection best practices
Management of the data protection program
To be successful in the privacy space, you need to build a strong in-house team, a cohesive front that continues to prioritize privacy and GDPR compliance. Working closely on a strategic data protection program that outlines your data protection responsibilities is key to compliantly scaling your business.
The granularity and type of notices required, as well as the scope of rights you must grant visitors under applicable law, will vary depending on the areas your visitors are in and it is up to you to demystify them and respond to best practices to introduce.
The scope of domestic and foreign data protection laws, which one company may be obliged to comply with, may differ from the scope of application of another, as there is no uniform approach to data protection.
A team that looks at their importance to your business and meets compliance obligations can help you convey your commitment to data protection in this area to your users.
Adopt the use of compliance tools and practices as part of your company culture
Data protection is not a person’s responsibility.
By embedding in the corporate culture, all employees can feel invested in the security of corporate data and risk minimization.
Establishing ongoing training and communicating key regulatory changes to keep employees informed is essential to the success of your privacy program. Engaging your privacy team to continuously monitor the impact of changes on processes and implement required changes ensures that you are kept informed of changing laws and changes in responsibilities.
Did you know that ransomware attacks can often be traced back to a single compromised password? Duplicating passwords is the easiest way to run a good privacy program in your company.
Identifying risks in this area is vital, and closing the loopholes that arise can be an ongoing struggle.
For example, if there are inactive accounts of a former employee on your network, it can be a bug that malicious actors can exploit. It is a good idea for your organization to invest in passkey software to implement multi-factor authentication and add extra protection to the systems you use to reduce the risk in this area.
Using tools designed for compliance can automate many of these processes that are required for program management. These tools can monitor your data collection processes and allow you to implement changes in response.
The integration of third-party systems into this monitoring enables you to extend your data protection controls to a provider ecosystem. Automating your processes regarding access requests from people allows you to be effective within the legal timeframe and generate responses to an individual and fulfill your responsibilities when you have a 360 degree view of the data subject’s data points.
In addition, you are ready to respond to any request from a regulator should you need that information consolidated into one source so that you can effectively address it within the timeframe.
Privacy doesn’t stand still – keep pace with evolving laws and technologies
In the European Union, many consumers actively make use of their data protection rights to which they are entitled under the GDPR and the ePrivacy Regulation.
In the US and beyond, consumers are now having higher expectations of online privacy and are starting to adopt GDPR standards. More and more consumers are now openly concerned about how companies handle their personal data. The newly passed CPRA (amendment to the CCPA), the introduction of data protection laws in Washington and Virginia, and similar laws being introduced in countries such as Brazil, India and China around the world, testify to how territories are taking steps to ensure data protection at the highest level true local level.
Some of the latest significant legal developments that businesses need to know about include:
- Standard Contractual Clauses (SCCs) – The European Commission adopted revised Standard Contractual Clauses for international transfers on June 4, 2021. The revised version replaces those that predate the GDPR and are intended to be used for cross-border data transfers outside of Europe, including the USA. Although these have a validity date of three months, companies subject to existing SCCs have 18 months to enter into new SCCs or find other legitimate means of transferring data.
- Colorado Data Protection Act – This bill passed the state legislature on June 8, 2021. It will be the third US state – after California and Virginia – to have a bill that provides residents with protection from their personal information.
- China’s data protection law (“DSL”) – This law comes into force on September 1, 2021. Many of the practical compliance steps have yet to be released in the coming weeks and months, but organizations can try to rely on the draft measures until then.
It is your responsibility to stay updated on what these legal developments mean for you and what you need to do about your data. You may need to make adjustments internally to comply with and work with your teams to ensure that any privacy issues are addressed.
In order to cope with the changes at local and global level, a thorough examination of the tasks incumbent on you is necessary, with internal or systematic adjustments to the processes. It is just as important to ensure that your processes are flexible for both and that you can scale with your company with such developments.
Since our company is constantly being digitized, building a data protection-by-design company should be a top priority. Implementing a comprehensive and coordinated approach to data protection can be challenging and time consuming, but it is a must for future-oriented organizations to define it as a strategic priority for all leadership-driven business activities.
Organizations should understand and prepare for reputational risks beyond simply failing to comply with myriad data protection laws and regulations. Staying on the pulse of regulatory changes in global privacy laws, staying up to date on enforcement decisions, and continuously improving privacy programs can all help create a privacy culture that will keep you moving for the future.
You should ask yourself some of these thoughtful questions to see if your privacy practices are currently up to standard. Unfortunately, the aftermath of failing to improve affairs is not kind, but being effective in this area will reward you in the long run for improving your brand image as a trustworthy, privacy-conscious organization.