Preparing your small business for US data privacy regulations
February 25, 2019
Data privacy laws have touched down on U.S. shores. While many large enterprises have already prepared, their small counterparts face unfamiliar burdens and potentially ruinous penalties.
Is your small business ready to take decisive action by protecting people's personal information? Your answer could determine whether your company becomes an industry leader or a cautionary example of abject failure. Fortunately, with the right combination of privacy protection coverage and lawful compliance leadership, it's possible to master data privacy for small business. Here are a few pointers on minimizing risks and limiting the costs of events like breaches, hacks, and cyberextortion.
The State of U.S. Data Privacy Regulations
Even with widespread public adoption of data technology, the U.S. lacks a comprehensive federal privacy framework. This doesn't mean, however, that your growing enterprise can play things fast and loose when it comes to safeguarding personal information.
In the absence of one universal law, firms are instead subject to a host of different statutes. Your compliance burdens are partially dependent on what field you specialize in.
For example, the Health Insurance Portability and Accountability Act, or HIPAA, includes strict rules regarding the storage, transmission, sharing, and handling of patient data. HIPAA impacts everyone from private practices and clinics to the insurers and medical records software providers they do business with.
The Children's Online Privacy Protection Act, or COPPA, covers activities that involve collecting data from kids under the age of 13. This means it can impact a large number of companies whose users include minors. The FTC hasn't been shy about fining businesses that fail to follow COPPA rules, such as ensuring that children have parental consent before using websites and posting age-specific privacy policies.
Thanks to the Judicial Redress Act of 2015, citizens of certain covered foreign nations have the right to bring lawsuits against U.S. companies that don't protect their information as specified by the Privacy Act of 1974. This law might affect you if you do business with partners from overseas or want to expand your product sales to new territories.
New Data Privacy Rules on the Rise
If all you focus on is overcoming federal privacy hurdles, you're bound to get caught off guard. Different legal jurisdictions retain the power to set their own standards. For instance, in June 2018, state lawmakers passed the California Consumer Privacy Act. This law gave people the right to ask companies not only whether they'd collected their information but also whom they'd sold it to.
One noteworthy aspect of modern privacy laws is that they don't always go into force at once or apply equally to all businesses. New York's 23 NYCRR 500 rule is a good example. This law went into effect on March 1, 2017, and it set later deadlines for different hoops companies had to jump through, such as submitting formal compliance certification by March 2019. The legislation also included exemptions to specific rules based on factors like how many in-state employees companies had, their annual revenues and assets, and whether they controlled their own IT systems and information.
EU GDPR: Learning From the European Model
If this patchwork of regulations seems confusing and burdensome, then you're probably not alone. Luckily, such events aren't without precedent.
When the European Union's General Data Protection Regulation, or GDPR, became law in May 2018, it was the culmination of about four years' worth of effort. During that time, companies had to learn not only about the new rules regarding data breach handling, consent, privacy by design, and other topics but also rethink their business models to incorporate Data Protection Officer roles.
What can you take from the GDPR transition? No matter whether you're trying to comply with state, federal, or international statutes, you'll need to do more than memorize a few rules here and there.
The complexity of IT systems and processes makes data privacy a full-time job. Depending on where and how you work, you'll most likely have to bring in outside help to minimize your risks. You should also ensure that you have coverage in case you miss critical details.
Four Steps for Complying With Data Privacy Laws as a Small Business
Ready to enact better data privacy governance policies? Here are a few steps to get you started:
Create a Dedicated System
Data security regulations are still evolving, and even those based on well-established laws can be hard to decipher. The easiest way to stay on your toes is to appoint an accountable company officer to handle data privacy. Whether this is their sole responsibility depends on your resource availability and legal requirements, but at least one person in your firm should continuously be in tune with your oversight stance.
Leverage Third-Party Auditing
Sometimes, it takes an outsider's perspective to uncover your mistakes. Third-party auditing services may be able to help you identify compliance gaps before regulators fine you for them. With some laws, it may even be an explicit requirement.
Establish a Culture of Accountability
Privacy disasters occur for many reasons, but multiple studies have shown that human errors are prevailing factors. While the percentage of incidents caused by negligent insiders is hard to pin down, these security breaches can sink firms just as readily as outside hacks can. Establishing better rules, such as bring your own device policies, and investing in staff education might just save your reputation and user data.
Vet Your Partners Thoroughly
Small enterprises naturally rely on business-to-business networking and partnerships to accomplish more. These arrangements can represent serious hazards. If you're working with a web host that fails to secure its data centers, for example, then anyone who enters their information on your site might be in danger. Since they probably won't buy the excuse that their identity theft nightmare was someone else's fault, you need to make sure that your partners uphold the same rigorous compliance standards that you do.
These are just some of the concepts you'll need to comprehend to stay ahead of the regulators. As laws shift, maintaining the right attitude is vital. Those who adopt a proactive stance are far less likely to fall prey to fines and reputation-killing data losses.