State laws hint at privacy best practices
- By Chad Gross
- May 06, 2021
California’s landmark 2018 privacy law, the California Consumer Privacy Act (CCPA), was a turning point for privacy laws in the United States. Today, some 28 states have privacy bills either passed into law or working their way into legislation.
These various state privacy laws will not directly impact government agencies, as there are specific carve-outs for them in every major regulation. Instead, federal agencies must meet the standards of the Privacy Act of 1974, while state and local municipalities will be governed by state-specific rules. However, it is important for government IT teams to be familiar with how these new laws apply to commercial entities because they generally represent best practices for handling sensitive information. And after all, much has changed since 1974.
When it comes to privacy legislation, there is much to untangle. To simplify the approach, start with the basic controls and policies common to virtually every privacy framework out there: 1) disclosure prior to personal data collection, 2) a set of basic rights related to processing data and 3) generating a data map to guide program implementation.
- What data is collected
- How data is collected
- What purpose data is used for
- Who the data is shared with
- Disclosures to third parties
Provide for data subject rights related to the processing of personal data
The specific data subject requests that an individual can initiate will depend on the particular legislation. However, these four rights are quite consistent, allowing data subjects to have basic controls over their personal data:
- The right to access: An individual has a right to request from a company what personal data exists about the individual, how it is being used, who else has access to it, as well as the right to obtain a copy of the personal data
- The right to modify: If any errors exist related to an individual’s personal data or if changes have occurred, such as a name change from marriage, then the individual has the right to request to have the errors corrected or the updates made without undue delay.
- The right to delete: Also called the right to be forgotten or the right to erasure, personal data about an individuals must be erased at their request, if applicable.
- The right to the restriction of processing: Individuals are able to “stop” the processing of their personal data for certain reasons including, but not limited to, inaccuracies and unlawful processing.
- Additionally, some privacy laws include an enhanced set of data subject rights. These two are particularly worth noting:
- The right to data portability: Any data collected can be exported in a common format so that it may be transmitted or imported into another controller, if technically feasible.
- The right to opt out: Consumers can choose to not allow the sale of their personal information to any third party.
Understanding the technical capabilities that support these six rights will cover a substantial portion of requirements across all the various state laws.
Generate a data map to understand obligations
To make the necessary disclosures and put these rights into practice, organizations need a complete understanding of the types of personal data being ingested and processed. This is best done with a fundamental exercise called data mapping.
Building a data map involves a combination of automated and manual processes, such as scanning software and interviews with key department leaders. This information is used to build an inventory of the personal data that an organization captures, where it exists and the compliance obligations it is subject to.
Next comes technical implementation. Privacy legislation is intentionally vague on which specific controls must be implemented, instead leaving it to IT managers and other stakeholders to design a program commensurate to the nature and sensitivity of the personal data, as well as the risks to that data. That said, using a proven controls framework such as ISO/IEC 27001:2013 or NIST 800-53 as the basis is recommended. Plus, there are a number of other privacy-related elements worth considering, such as cookie usage, vendor accountability and more. There will never be a one-size-fits-all approach to this process, but those frameworks serve as an excellent foundation.
This year may be when there is a true shift in the nation’s attitude to privacy, as a growing number of lawmakers – and citizens – are paying attention to what is happening with personal data. It’s becoming clear that privacy will have a larger impact on governments and businesses alike. Now is the time to get ahead of the curve before the coming barrage of privacy laws becomes overwhelming.
Chad Gross is associate director of services and international operations at A-LIGN, a cybersecurity and compliance firm.