These days, data is as good as gold — and like gold, data is increasingly subject to rigorous government regulations. Around the world, local and national governments are passing legislation to control how businesses collect, use, and store different kinds of information, and the failure of businesses to comply with these new laws can result in severe consequences, including fines, lawsuits, and shutdowns. download?ixid=M3wxMjA3fDB8MXxhbGx8fHx8fHx8fHwxNzI1OTg5NDI2fA&force=true&w=640

Because the landscape of data privacy regulations is relatively new and continuously evolving, many business leaders and risk managers struggle to navigate them. This guide to the data privacy regulations currently in effect can help you learn what you need to know about managing data safely and legally in your regions of operation.

The General Data Protection Regulation (GDPR)

The GDPR is arguably the most substantial data protection legislation yet. Enacted by the European Union, this law covers the collection, transmission, use, and security of all data from residents in all 28 member countries, regardless of the location of the company controlling the data. Most importantly, the GDPR provides data subjects with a list of rights, which include:

  • The right to be informed about the collection and use of their personal data;
  • The right to access their data via a request of businesses;
  • The right of rectification to fix inaccurate or incomplete data;
  • The right of erasure to eliminate personal data for specific reasons within 30 days;
  • The right to restrict processing, though businesses that comply with this right may continue storing user data;
  • The right to data portability, which enables users to have their data transferred between systems without disrupting its use;
  • The right to object to how their personal information is being used, with exceptions for data used in legal or official capacities or when personal data is necessary to provide a service requested by the user.

The GDPR is massively important and undeniably influential. Many data privacy laws that have come after the GDPR use this legislation as a model, so even if you operate outside the E.U., you would be wise to study the GDPR back to front. You might consider creating a list of best practices for your risk management program that is respectful of the requirements of the GDPR and flexible to any additional regulatory compliance measures to which your business is subject. For example, you should make sure every member of your risk management team understands their responsibility to maintain compliance and utilize the tech necessary to support GDPR’s rigorous standards.

The Federal Trade Commission (FTC)

In the United States, there are no federal laws specifically pertaining to data privacy — which isn’t to say that Congress hasn’t tried. Still, there are some data regulations at the federal level that impact specific sectors and mediums, such as telecommunications, financial institutions, health information, credit information, and marketing. The FTC can issue regulations and enforce privacy laws to prevent unfair or deceptive trade practices.

To help establish online safety and trust, the federal government also has a number of additional laws in place, including:

  • Children’s Online Privacy Protection Act (COPPA), which applies to information about minors;
  • Health Insurance Portability and Accounting Act (HIPAA), which applies to health information;
  • Gramm Leach Bliley Act (GLBA), which applies to personal information collected by financial institutions;
  • Fair Credit Reporting Act (FCRA), which applies to credit information;
  • Family Education Rights and Privacy Act (FERPA), which applies to education information.

State Data Privacy Laws

Increasing numbers of U.S. states are passing data privacy laws that apply to organizations operating within their jurisdiction. Almost certainly, these laws will continue to evolve in the coming years — which is simply another good reason to invest in the right employee training. Training can help employees stay up-to-date on the latest regulations, which will lower your business’s risk of non-compliance. Plus, training is an essential component of basic cybersecurity, and data security is a typical element of data privacy legislation.

Perhaps the most important state data privacy law to date is the California Privacy Rights Act (CPRA). A data privacy law to rival the GDPR, the CPRA requires companies to inform users when and how data is collected, to allow users to opt out of data collection, and to provide users with access to view, correct, or delete personal information. The CPRA also controls how businesses can transfer personal information.

The CPRA is so important because California is one of the largest and most populous states and because California’s legislative moves are often predictive of government action across the Union. Already, a number of other states have passed their own data privacy rules that mirror the CPRA, which include:

  • Colorado Privacy Act (CPA);
  • Connecticut Data Privacy Act (CTDPA);
  • Delaware Personal Data Privacy Act (DPDPA);
  • Indiana Consumer Data Protection Act (INCDPA);
  • Iowa Consumer Data Protection Act (ICDPA);
  • Kentucky Consumer Data Protection Act (KCDPA);
  • Maryland Online Data Privacy Act (MODPA);
  • Minnesota Consumer Data Privacy Act (MCDPA);
  • Montana Consumer Data Privacy Act (MTCDP).

Admittedly, not all these state laws are currently in effect; some have effective start dates in the coming months of 2024 or 2025. While most have similar, if not identical, regulations, there are some variations in the law you should know if you plan to conduct business in covered regions.

Additional Data Privacy Laws

If your company doesn’t operate in the U.S. or E.U., you might still be subject to existing data privacy regulations. At present, there are over 130 data privacy laws in effect; some other major countries with robust data protections include:

  • Brazil’s General Law for the Protection of Personal Data, or the Lei Geral de Proteção de Dados Pessoais (LGPD);
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA);
  • China’s Personal Information Protection Law (PIPL);
  • India's Digital Personal Data Protection Act (DPDPA).

Regardless of whether you are subject to one data privacy law or several, you need to understand your responsibilities for collecting, storing, sharing, and using the personal information of your customers and any other users your business interacts with online. Managing your compliance with these laws is an essential component of risk management, so the sooner you review the relevant regulations, the better.

Votes: 0
E-mail me when people leave their comments –

Indiana Lee is a writer from the Pacific Northwest. An expert on business operations, leadership, marketing, and lifestyle, you can connect with her on LinkedIn.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead