there will be an increase in global legislation on data privacy, development of
US privacy regulations, increased investments in privacy technologies, trends
towards a Cookieless future, and other developments.
But what will change in Data Protection for business in 2023?
privacy regulations are continually evolving, companies will invest more in
privacy technologies to gain users trust and avoid penalties.
Data subjects under the Privacy Rule are becoming more conscious about their rights and wanting to safeguard their personal information. It is no surprise to see countries around the world adopt data privacy regulations, which outline the rights consumers and employees have to personal data usage by businesses, impose penalties for breaches of personal data, and require businesses to keep data only as long as necessary.
To guard against the risks of identity theft and other cybercrime, governments across the globe, as well as in the United States, have passed laws protecting personal data. These efforts started as a trickle, responding to an early threat from cybercrime and identity theft, but now they have grown into a torrent of requirements, which vary from Europe to South America to California to New York.
This legislation expands the reach of consumer privacy and provides better protections for people against data breaches to their personal information.
In America their new bill substantially strengthens the existing data security laws, expanding what types of personal data companies must inform consumers about if they are exposed to a breach, and requires companies to establish, implement, and maintain reasonable protections to safeguard the privacy, security, and integrity of personal information.
The act contains some similarities with provisions in the European Union’s General Data Protection Regulation and the California Consumer Privacy Act. In some aspects the new bill is very similar to the General Data Protection Regulation (GDPR) and other privacy legislation around the world.
The CDPA provides certain rights similar to those of GDPR, as well as requirements on data protection and contractual provisions. In addition to creating rights schemes after individual rights in the GDPR, the CDPA requires provider data security and contract provisions, as well as assessments of high-risk treatment. CDPA similarly creates rights patterned after those of GDPR, requiring data minimisation, security, and assessments for high-risk processing.
New assessments for data privacy and security are required for high-risk processing, and these mandate assessments for a providers privacy/security compliance (including removing data or returning it upon termination of a contract). Data processors must review their standard agreements with data processors and contractors and modify as necessary to ensure that they are compliant with the requirements of the new Privacy Rule.
To meet these requirements, companies should consider building upon existing data subjects request for access policies to incorporate such an appeals process and should make sure their communications with consumers explicitly and conspicuously communicate consumers rights to an appeal.
Any new Privacy Rule should require (1) that companies set up an internal process for consumers to appeal any refusal to provide collected data; (2) that the appellate process is clearly accessible and user-friendly; and (3) that the appellate process has fixed time periods in which a company must respond.
This gives consumers rights to their data, and requires companies covered by the laws to follow rules about what data they collect, how it is treated and protected, and who is sharing it.
Companies should help consumers exercise their data rights by getting opt-in consent before processing their sensitive data, disclosing when their data will be sold, and giving them an opportunity to opt-out. In America, The California Consumer Privacy Rights Act (CPRA) will coming into effect on July 1, 2023, and will apply to employees, in addition to other consumers, for the first time.
The CPRA also creates the California Privacy Protection Agency, expands personal and opt-out rights, limits the retention of personal data to only what is necessary, and includes protections for personal data about employees and contacts with businesses.
Under the CPRA, businesses would have increased domestic obligations related to personal information, including record-specific preservation requirements and cybersecurity/privacy risk assessments.
Of note are California’s new privacy rights law and Virginia’s consumer data protection law, both effective in January.
Five states - California, Colorado, Connecticut, Utah, and Virginia--will have new or updated data privacy laws by 2023, with a few others considering laws of their own.
Now that a number of U.S. states have passed data protection or privacy laws there is likely to be some pressure on regulators and officials to prove these new laws actually have teeth.
Other large markets such as India, Germany, China, and Japan have already passed laws protecting consumers data and privacy, and we should expect more changes in these regions to gain momentum in the coming year.
Based on these trends, it is clear that privacy is evolving beyond regulatory compliance to a new age of integrated data governance and trusted data usage.
Privacy governance will merge with data governance, whether it is for regulatory compliance or for cybersecurity resilience and incident response. We can help you and your business to stay ahead of the game when it comes to Data Protection with our BCS accredited online courses in these areas.