The laws, rules, and regulations regarding privacy and data security are changing throughout the world. In the United States, California recently passed the California Consumer Privacy Act (CCPA), which is due to take effect in 2020. In May 2018, Europe enacted the General Data Protection Regulation (GDPR), which introduced sweeping changes to EU privacy law and contains specific requirements regarding data security and safeguarding information. Brazil and India have respectively passed and proposed privacy laws that borrow heavily from the GDPR. Other countries and states are also in the process of implementing or updating their privacy and security laws. These laws will require organizations to ensure that privacy and data security—beyond just HIPAA—are key considerations in the early stages of new product and service development and throughout the life cycle of these products and services. Venable has compiled a helpful summary of the high-level privacy and security considerations to keep in mind while designing products and services and during the entire life cycle of those products and services. The considerations outlined below are drawn from certain common principles in these laws and should be used to help plan and manage new or materially changed products and services.

Topic
Action

Broader Definition of Personal Information

The new laws cover more than just protected health information. Many of these laws expand the definition of personal information to encompass a wide variety of personally identifiable information, including for example, IP addresses and device identifiers. Personal information may include any information that can be reasonably linked to a particular person, computer, or device.

Privacy as the Default

Personal information must be automatically protected. Products and services must be designed with privacy settings already in place; individuals can then choose to dial back the privacy settings.

Product and Service Lifecycle

Privacy and security must be considered from end to end. Information must be protected when it enters the system, all the way through the product and service life cycle, and then securely destroyed when required.

Vendor and Partner Selection

Select service providers and partners (third parties) that comply with applicable privacy and security laws. Many privacy and data security laws require that third parties have implemented appropriate privacy and security measures. When a company is outsourcing work, whether engineering work or an entire feature/service/component of a product or service, third parties should be vetted and should be used only when they can meet applicable privacy and security requirements. If a third party does not meet applicable legal requirements, consider whether the issues can be remediated and, if not, select another third party. Companies must also oversee third parties during the duration of the relationship.

Company’s Compliance

Your partners will expect a demonstration of your compliance with these new laws. In addition, they may wish to conduct audits to determine whether your company meets certain privacy and security requirements. Thus, it may be necessary to complete questionnaires that drill down on, and/or to submit a detailed summary of, company-wide privacy and security practices. It is helpful to have a process in place to respond to these third-party requirements.

Data Processing and Use Agreements

Beyond business associate agreements, data processing and use agreements with third parties may be required. Best practices call for considering which form of data processing and use agreement is required in specific circumstances (e.g., a data processing agreement where the personal information of European individuals is at issue, a business associate agreement for protected health information, or specific service provider provisions to comply with the CCPA).

Data Minimization

Limit the data elements collected. Consider the business justifications for each of the data elements collected, and do not collect personal information without having a business justification for doing so and without having appropriate data security measures in place for protecting that information.

Accuracy

Keep personal information accurate and up to date. Consider what processes or features can be implemented to ensure that information stays accurate.

Data Retention

Keep personal information only for as long as necessary. Determine how long personal information should be retained and implement processes for routinely discarding or destroying any personal information that is no longer needed for a business or legal reason.

Privacy and Data Security Protective Measures

Encrypt and de-identify personal information. Where possible, embed privacy and security protective measures, such as pseudonymization (e.g., encryption, hashing and salting data) or anonymization (e.g., de-identification) of personal information, into product and service design.

Data Mapping

Maintain a data map. Many new privacy laws contain obligations to maintain records of what data is used for, how it’s shared, and where it’s transferred. Consider how records of processing should be maintained and updated as new products are developed and old products are discontinued. This data mapping will be critical to ensuring cybersecurity measures commensurate with the risk are in place to protect the data.

Security Incidents

Quickly report security incidents. Some of the new laws require the reporting of security incidents within very short time frames. Ensure that processes are in place to escalate incidents and to meet required deadlines for reporting such incidents to impacted individuals, government authorities, and, when required, third parties.

Transparency

Update privacy policies. Ensure that privacy policies are updated to remain accurate, as products that process data are developed in new or different ways, ensuring individuals know how their data moves around the product or in accordance with the service and is shared (or not) with others.

Privacy Impact Assessments

Conduct privacy impact assessments. A privacy impact assessment (PIA) is an assessment of the risk associated with using personal information in a particular way. In developing products, consider whether a PIA is required. If the PIA shows that there would be a risk to individuals, consider risk-mitigating measures.

Security by Design

Conduct security by design. Security by design ensures that systems, products, and services are designed from the foundation to be secure and to make certain appropriate cybersecurity controls are in place from the beginning with respect to personal information.

Consent Tracking

Track consent. Consider whether individuals will need to consent to data collection and/or the way their personal information will be processed and shared. Identify how this consent will be tracked and documented.

Individual Rights

Data access. Expect that individuals will ask what personal information has been collected about them and about other information, including the entity with whom it was shared. Be prepared to provide that data to the requesting party in a timely manner.

Data deletion. Be prepared to delete data about individuals if they make that request.

Data portability. Be prepared to transfer data to a third party in a digital format if requested by an individual.

Data correction. Be prepared to correct personal information upon an individual’s request.

Moving Data Across Borders

Ensure cross-border data transfer mechanisms are in place. Consider whether personal information will be transferred outside its country of origin and, if so, what measures (if any are required) should be implemented to ensure that the transfer is legal.

Accountability

Document decisions. Many of the new laws require organizations to be able to demonstrate how they have complied with the law. Documenting decisions in relation to privacy and security is critical to meeting accountability requirements.

Conduct a Cybersecurity Risk Assessment

Conduct a Cybersecurity Risk Assessment. Many data security laws require companies to conduct a cybersecurity risk assessment annually. A cybersecurity risk assessment evaluates the security controls in place that protect personal information and whether those security controls are adequate based on the sensitivity of the data, legal requirements to protect the data, and the threats to the data. A risk assessment helps companies to discover weaknesses in controls and to prioritize cybersecurity initiatives.

Implement Data Security Measures in Accordance with the Risk Assessment

Implement data security measures. Many laws, including the CCPA, the GDPR, and HIPAA govern how companies must protect personal information, either through reference to “reasonable” security to protect such information or by reference to specific security controls. Fundamental to all of these laws is the proposition that companies must think about how they protect personal information and should do so throughout the life cycle of that information.

Venable attorneys are adept at designing personalized privacy and security plans and conducting privacy and cybersecurity assessments to address both client needs and the most current and relevant laws and regulations. For additional information about the work we do in this and other practice areas, visit Venable.com/services.