New law changes and rising customer expectations are changing the way businesses handle privacy issues. Here are three sources of change to consider as you determine your approach:
Global laws. In most areas of law, a business only needs to comply with the laws that apply in the locations where it is conducting business or has a location. Privacy is an exception. Many privacy laws (including most of the more recent laws) apply whenever you interact with a person from that jurisdiction.
A great example of this is the European Union’s General Data Protection Regulation (GDPR). This applies to businesses that are regularly receiving information from individuals from the European Economic Area (most of Europe), even if a business has no physical presence in Europe and has no European employees. This is part of why so many websites have been sending emails updating their privacy notices and have highlighted changes to their privacy notices when you visit the website. Many US businesses are subject to GDPR.
The same principles apply to the laws of other countries, such as Canada, and most states. Even local businesses need to be concerned as laws from states across the country may apply to them in the event of a data breach or if they have even one customer in another state.
What is a business to do? Compliance is not as hard or complex as you may think. Yes, there is some time and expense to getting up and running on privacy compliance. Once compliance is in place, maintaining it is relatively easy. Take the time to find knowledgeable advisors (attorneys, consultants and accountants can help) who can help carry the load, especially of getting started and determining what laws apply.
Customer expectations. Individuals and businesses are making increasing privacy demands on those they work with. Some choose to ignore these demands and expectations. Do so at your own risk. When working with other businesses, especially those in other jurisdictions, be careful to diligently review what you are agreeing to in agreements, purchase orders and online click throughs. It is increasingly common for these documents to contain privacy obligations and failing to meet them can have serious legal and financial risks and can damage your business’s reputation. Individuals also expect their privacy expectations be met, even if they are not in writing. What can you do? Review your agreements carefully (or have an attorney do so) and use a prominently placed privacy notice to demonstrate legal compliance and set expectations.
Data collection. It is still common to obtain as much data as possible, to keep it as long as you want, and do to with it as you please. In many jurisdictions, including some you are likely subject to even if you do not have an office there, this is not a best practice and may not be legal. Yes, many types of data have value, but they may not be worth the risk. What can you do? Two suggestions. One: find out what laws apply to you and what those laws permit and prohibit. Two: find out what data you are collecting, how you store, share and use it and take time to consider what data you actually need. Then take appropriate steps to move towards legal compliance and a streamlined data structure.
Contributed by Charles M Russman of Clark Hill PLC.
View the on-demand webinar “Complying with Privacy Laws” with Charles.