Jodi Daniels is a privacy consultant and Founder/CEO of Red Clover Advisors, one of the few Women’s Business Enterprises focused on privacy.
Data privacy affects every business. Whether you’re a one-person operation or have 5,000+ employees, data privacy matters not just for regulatory compliance, but also for protecting your business and consumers.
But data privacy is also an evolving matter. New regulations are popping up with increasing frequency, and existing policies continue to evolve. And because the United States doesn’t have overarching federal data privacy laws, states are left to enact their own individual privacy laws.
Currently, California, Colorado, Connecticut, Utah and Virginia have their own data privacy laws that are either currently in effect or come into effect in 2023 (along with others that have recently passed privacy legislation). But these laws don’t solely apply to businesses based in those states—they also apply to businesses that collect data from citizens in each state.
It’s important to note that these five states are just the first to market in a rapidly evolving field. There’s a strong chance that other states will continue this trend and borrow elements from these regulations—along with the EU’s GDPR—to develop their own policies.
Why Businesses Should Invest In CCPA Compliance
Out of all the state privacy laws, California’s Consumer Privacy Act (CCPA) is arguably the most comprehensive general data privacy bill on the state level. Effective January 1, 2020, the CCPA was also the first data privacy act in the U.S. modeled after the GDPR. Most newer state privacy laws pull at least some of their regulations from the CCPA, alongside the GDPR and other existing legislation.
The CCPA also enacted major revisions that came into effect earlier this year. The California Privacy Rights Act (CPRA) amended CCPA through measures such as increased risk assessment obligations for businesses and additional consumer rights. But it also raises the threshold for the yearly number of records processed from CCPA’s 50,000 to 100,000, to help reduce small businesses’ compliance obligations.
But even if you are a small business or don’t collect that personal data from that many people, it’s still in your best interest to invest in data privacy. That’s because your customers aren’t memorizing the details of regulatory statutes; they’re simply watching to see how you treat their data and deciding whether you deserve their trust.
Alternately, if you’re in the B2B space, your customers may be well-versed in privacy laws—and may have specific compliance requirements they need you to meet.
Compliance: An Investment In Your Business
Even if your business currently falls under the threshold for compliance regulations, most businesses have plenty of motivation to invest in their data privacy policy to protect their business and build positive relationships with their customers. Consider this: 32% of consumers have switched companies or providers over data-sharing concerns, and 39% of consumers have lost trust in companies due to misuse of personal data or a data breach.
But the risks aren’t just on the consumer side. Without a data privacy policy, some vendors or third-party businesses may hesitate to collaborate with your business if it increases their liability—in fact, they may even stipulate compliance in their contracts. If you plan to expand operations, it’s easier to build your data privacy and security policies now before your data inventory becomes a black hole of compliance issues.
Five Steps To Start Building Your Data Privacy Program
In general, because regulations continue to change, the best data privacy program for most businesses is an agile, flexible policy based on industry best practices rather than individual laws. Here’s where you can start.
1. Identify which laws apply to your business.
Where do you operate? Do you meet the size threshold for the states or companies you operate in? Are there other geographic markets you want to enter in the near future?
2. Identify what information you collect and why you need it.
Most privacy laws include a component of data minimization—the idea that businesses can’t collect more data than necessary for their goals. So ask yourself regarding the data you gather:
• Is it critical to your strategic goals?
• Are you collecting more information than you need?
• What information can you delete from your system? (This helps to simplify your system, too.)
3. Get your data privacy and data security teams on the same page.
How secure is your data storage system? While data privacy and data security are separate fields, they are intricately connected when it comes to handling and protecting consumer data. Plus, data breaches can be apocalyptic for many companies—in 2022, the average cost of a data breach was $4.35 million.
4. Map your data.
A data inventory tracks what data you have, who interacts with it, how it’s stored and more. A bird’s eye view of your data can help you understand how your system operates and where your data may be vulnerable to exposure.
5. Update your privacy policy and privacy notice.
Privacy policies and privacy notices are essential for your privacy program—and they both need to be up to date. Privacy policies are the internal company documents that discuss your data collection, storage and use. This should not be confused with a consumer privacy notice, which is the external, consumer-facing document that details your privacy practices. Both documents are critical to designating accountability, outlining your business’s practices and expectations, communicating with employees, planning incident responses for potential data breaches and complying with privacy regulations.
As privacy regulations become increasingly widespread throughout the U.S., companies benefit when leaders prioritize privacy. Not only can you protect against compliance violations, but you can also protect one of your most valuable assets: consumer trust. And there’s no better time to start than the present.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
