Watch to learn about the differences between privacy laws and mandates (such as GDPR and CCPA).
Having issues accessing the video above? Watch the video here.
Privacy laws and mandates are quickly becoming enforceable around the world. What are the differences between them all, in terms of fines, requirements, and enforcement?
Brittany Woodard covers the most relevant privacy laws for attendees, giving the background, motivations, and privacy facts from around the world. The world is quickly changing; personal data is being uploaded constantly: what is your role in maintaining lawfulness, fairness and transparency? It is crucial that each individual and citizen understands their duty, and more importantly that every business and organization knows what they need to do to honor privacy and protect data subjects and consumers.
This webinar was hosted on September 23rd, as part of SecurityMetrics Summit 2020.
Hi. Welcome, and thank you for joining today. My name is Britney, and I'm with SecurityMetrics, and I'm a product manager for the company. And today, I'm gonna be giving a webinar on GDPR and CCPA, specifically on privacy changes and your role in data protection.
I'm gonna take just a quick minute and talk about SecurityMetrics. We are a data security and compliance technology company, and our aim is to close data security and compliance gaps to avoid a data breach, to help companies avoid a data breach, specifically.
So here's the agenda. Today, we're gonna cover three different areas.
And, the first part is GDPR and CCPA for those maybe that are not familiar or since GDPR, it's almost been two years or has been two years since that's come out, we'll do a little refresh on that.
And then we'll move into the fundamental changes to privacy and your role in the future of data protection.
So let's jump right into it So GDPR came about in May of two thousand eighteen, that's when, it was implemented and everyone needed to start adopting the regulation It applies to organizations doing business with EU residents. So anyone that lives within the European Union, is able to partake of this regulation and use it to their benefit.
GDPR was designed to harmonize data privacy laws across Europe and to protect and empower all EU citizens' data and reshape the way that organizations across the region approach data privacy.
So that's an official statement. Different countries essentially were doing slightly different things for data protection throughout the EU, and this, the general data protection regulation, is meant to unite them under one rule.
It also gives control back to the data subjects and insists the data controllers and processors be more vigilant with how they handle personally identifiable information.
So, again, this is anyone in the world basically doing business, if I'm to put it simply, that's processing personal data of a European Union citizen.
And it's the European Union citizens that are protected. Those data subjects that are providing their personal information for you in an effort to do business.
And that information specifically is what is being protected and what should be secured.
So anything that can identify an individual data subject.
And then there there's a list of requirements. There's appropriate technical and organizational measures that have been mandated that we'll cover a little bit later that need to be implemented and that every business should be following.
GDPR has one of the most stringent penalty systems that we've seen across the industry in data security, and that's something that got attention and rightfully so. They want this to be taken seriously and, as do we all. And so the fines are pretty steep if, and it's in an effort to engage and to incentivize, businesses to meet these requirements, which I think they did a pretty good job of. So the tier one, you have, up to twenty million euros or four percent of the firm's worldwide annual revenue.
And then you have the lesser, tier two, which is categorized as less severe infringements, and those can result in fines up to ten million euros, still pretty steep, or two percent of the firm's worldwide annual revenue.
So, again, these are the most stringent fines that we've seen yet, and, again, that's that's because this should be taken seriously.
Things to consider.
When when a fine is being implemented or a breach has occurred that the information commissioner's office is gonna take into account. And things those things are like the gravity nature of the breach.
How many people were impacted by this breach and the nature. Could it have been avoided?
How did it come about?
There's the mitigation. Have you have you tried to fix it?
Did you take precautionary measures to avoid the breach in the first place? Did you have your policies and procedures in place?
Was there training around that? And was it a failure in training?
And then there's they're gonna look at your history as a business. So is this something that has occurred before? Do you have a history of breaches or lack of security of the business?
And they're they're gonna also see how cooperative you are. So, they wanna make sure that that you're willing to provide the information that's needed to them in order to conduct their investigation.
And, they wanna make sure that you you've taken the steps as well to notify your customers or to notify the data subjects, of the breach and that it was in a timely manner and that it follows the, protocols within the regulation and that you are adhering to those.
And, again, that that that you are just making sure that you're taking all the steps to correct the issue, once you did become aware. So those are all things that you'll wanna take into consideration or that will be taken into consideration, should a breach occur. Or while you're going through and completing your policies and procedures, make sure you have processes in place to address those things.
So when GDPR did go into effect, right out of the gate, we saw, some examples you could say being made out of some industry leaders.
We were all kind of waiting to see how this was gonna impact some of these larger corporations like Google and Facebook, and and they're we weren't disappointed, I suppose you should say.
And as a as a consumer, that feels great, and as a business, it does set a precedent, right, that you need to make sure that you have dotted your i's and crossed your t's and make sure that you've gone through and taken the necessary steps to comply with GDPR.
Specifically, we we saw a few things happen here. Google has faced multiple fines over time and currently faces fifty seven million dollars in fines from France for not making it clear on how it processes Android users' information.
And, Facebook is currently facing a two point two billion dollar fine for storing passwords insecurely.
And then, of course, we sell British Airways I believe that was let's see. That was in twenty eighteen data breach, for the incident that took place after British Airways website diverted users to a fraudulent site.
And through this false site details about five hundred thousand customers were harvested by attackers.
And and the ICO had some pretty strong words. Elizabeth Dunham said people's personal data is just that, personal. When an organization fails to protect it from loss, damage, or theft, it is more than an inconvenience.
And that's why the law is clear. When you're entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check that they have taken appropriate steps to protect fundamental privacy rights.
And I think there's something really key there in that quote from Elizabeth, is that privacy is a fundamental right. That's how it's viewed in the European Union, and I believe that's how a lot of the data subjects viewed as well, and they want those rights.
So in just a moment, we'll talk a little bit more about how we see that trend, playing out and and and sort of moving across the rest of the globe, as they as as GDPR has led the way.
Alright. A little refresh on CCPA, the California Consumer Privacy Act. So that went into effect earlier this year, January of two thousand twenty, and it applies to organizations that are interacting with California residents.
So, it was an act just to protect the information of those California residents. And just like other privacy laws, CCPA includes some basic tenets of data protection as well as provisions to notify data subjects about the uses of their data, like who's going to see it, and when they're going to see their data.
Specifically, California or CCPA gives California residents rights concerning personal data and outlines the related responsibilities of certain businesses in California.
So it applies to any for profit entity doing business in California or with California residents data. That's an important distinction. That either either has a gross revenue greater than twenty five million or that collects and processes the personal data of more than fifty thousand consumers for commercial use.
We haven't there there was essentially a six month grace period for people to implement this.
So I guess June, we hit that mark, and, so we haven't seen any directly imposed fines yet for CCPA, but we will start to see more of those.
The this is gonna be the CCPA fines that we're talking about now.
You have private and civil penalties that you could be facing in regards to CCPA.
If the attorney general of California sites a business with failure to comply with CCPA, a route of action that can be created will be created, and the business will have thirty days to cure any violations. So consumers who have been harmed by companies noncompliance with CCPA could seek a hundred to seven hundred and fifty dollars per incident.
If noncompliance continues, then there's penalties of around twenty five hundred per violation or seventy five hundred per intentional violation.
And there's no ceiling to CCPA damages.
So, again, I'm just gonna kinda mention that again. They are pretty steep. You have twenty five hundred dollars per violation or seventy five hundred dollars per intentional violation.
So whether it's intentional or not, there there are consequences, which doesn't surprise us, but it is an incentive to make sure that we have, again, put our policies and procedures into place and taken the proper steps to address any potential risks within our environment.
Okay. Fundamental changes to privacy.
Steve Jobs says privacy means people know what they're signing up for in plain language and repeatedly. I believe people are smart. Some people wanna share more than other people do. Ask them. I think that's really kind of brilliant and just possibly obvious that, yeah, people wanna know. People want control of that information, and and now it's coming.
Now we're able to do that, right, with GDPR and CCPA.
And, we've just seen this a lot over the last couple years in regards to data privacy and data security. People want confidence in how their personal information is being handled.
More so now than ever, we do so many things, business, personal lives, online, and we wanna make sure that that information is being protected and secured.
And we wanna know that that in the event of a breach that we'll have confidence that we'll be made notified and that, mitigations will be taken and, things will be rectified within a reasonable amount of time.
So we have seen the increase of privacy regulations across the globe. Sixty six percent of countries have data protection and privacy legislation in place already, and just ten percent of countries have drafted legislation or up to ten percent, I guess, we should say. So more than sixty jurisdictions around the world have enacted or proposed postmodern privacy and data protection laws following the introduction of GDPR in two thousand eighteen. So this really was, the catalyst that set a lot of these these, laws into motion and is really changing the landscape of how how we view data and how we secure the information and keep things, private and the responsibility of the privacy of our data subjects as data controllers or processors.
Gartner estimates that by twenty twenty three, I thought this was an interesting fact, sixty five percent of the world's population will have its personal information covered under modern privacy regulations.
And that's up from the ten percent today, so I guess we can say that's low in just a couple years to be the sixty five percent.
Okay. Let's go through this at the seven guiding principles.
This can this can cover GDPR. This is for CCPA.
It's really just best practices, essentially.
So first, you have lawfulness, fairness, and transparency.
Basically, be familiar with and follow the law. Then you have purpose limitation.
Is it necessary for business need to have the data that you're keeping?
And that's something that really needs to be, looked into.
Do you really need all the information that you're collecting?
And if not, you need to restrict what it is that you're asking for.
Data minimization.
Can you cut down on the data you're requesting?
Can you get rid of it? Basically, it's it's kind of the rule is if you don't need it, don't have it. Get rid of it. Accuracy.
Are you keeping the data up to date? So do you have a or is the information current and accurate? And this kind of plays into GDPR in the sense of, you're right to update the information, so that's helpful for data subjects to come in and correct the information. But But also something that you wanna make sure the information that you're keeping, the data that you have is accurate.
If not, you should probably get rid of it. No need to hang on to it. Storage limitations. Do you keep the data longer than is needed, or can you tighten that up?
Seems like there's a theme here. Integrity and confidentiality.
So is the data processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
And then lastly, we have accountability.
Are you taking all of the security precautions that you should be taking to keep the data safe? And we'll dive into a little bit of more of what that means in just a moment.
A lot of these, seven principles are specific to GDPR and covered in article five. So if you wanted more information on those, that's a great place, and resource to check out.
Your role in the future of data protection.
So our confidence comes from our preparation.
As businesses, we implement regulation and take precautions.
We will feel confident in our abilities to secure data and give confidence to our users and data subjects.
Steps you should take as a business to comply and be secure with the data you have.
Have you conducted your data protection impact assessment, your DPIA?
So have you gone through and and identified the data that you have at your business and where it's at and what type of data it is, and do you need it. And, and that's a pretty that's a pretty helpful, exercise to go through, and, will tell you a lot about where you're sitting and and give you a lot of insights into what maybe needs to be put into place. Again, documentation is the next one. So, do you have your policies and procedures?
Have you gone through and documented where all the information is from your DPIA and what you're gonna do with it? And have you made assignments of your data protection officer?
Do you have a process in place for in the event of a breach or when you're there are rights being requested at the business?
Breach notification to the data rights, ongoing training. Do you have a process to train and policies around that, and are they being implemented?
And just in general, transparency. So, right, you have the notifications on your websites when you're gonna be collecting information, and what what exactly you'll be doing. Are you right there? Will there be cookies? Are you going to be selling the information? Are you gonna be sharing the information?
Consumers and data subjects wanna know when they sign up with you or when they do business with you, how that information is gonna be used.
So security considerations. GDPR mandates that reasonable security and privacy measures are in place. CCPA itself does not specifically outline such preventative measures, but they're implied. So here are some best security practices.
Pseudonymization.
So, for example, that could be in data encryption of the personally identifiable information.
Remote access security.
What type of remote access is in place and what security do you have around that? Are you conducting internal or external vulnerability scanning? These type of scans, SecurityMetrics offers these they they go over it's if you picture a house, it's almost like going around the outside of the house looking for open doors or windows or cracked windows.
Right?
Making sure, the shingles are on. Right? And so nothing's trying to get in, or out, and there are no weaknesses in the system. Penetration testing will do that as well. Your wireless network security, this we see breaches, that are result of weak Internet connections and passwords.
So you wanna make sure that those that there's good policies on those. I know that I have personally gone on-site and seen passwords on monitors or, just things that are visible as as a customer that could make you vulnerable to a breach. So you wanna make sure that you lock those up in and that you do have those policies and that they are being implemented.
And, of course, your web application security and security training.
The security training is is probably just as important, and that's why it's on there as all of these others because if we're not aware, as employees, what's going on with the business and what the vulnerabilities could be and how we should be taking different precautions, then that's a reliability of the rest of the business. So we always suggest conducting those trainings, formally or informally, but as frequently as you can.
So what actions should you take next? So making progress, have a plan, know what pie you have, conduct that DPIA, that data protection impact assessment, document process and report, and use those best security practices.
What's important is that when you have a plan that you execute against it and then you pivot and you adjust when needed or when changes are made to the business. And that's key as well is that when a change is made that you go back and you review your documentation and make sure, that you incorporate those changes so that you you don't have any vulnerabilities, for your business.
I hope that you guys found this valuable. Thank you so much for joining me today and giving you a refresh on GDPR and kind of where we are status wise, in the industry today with GDPR and CCPA.
You can contact me at the email on the slide, and if you have an interest or need any help around GDPR, CCPA, you can reach out to us on the number found on the slide as well, and we'd happy we'd be happy to help you. You can also visit us at www.securitymetrics.com. We have additional blog posts and white papers, that can assist you. So I hope this was helpful. Thank you all so much for joining.
.svg)
