Debbie Reynolds Consulting LLC

View Original

What are the Five Fundamentals of Data Privacy and Data Protection Regulations?

Welcome to "The Data Privacy Advantage Newsletter", which will be a monthly resource hub of practical information, advice, and content that will help organizations make Data Privacy a business advantage.

Do you know the Five Fundamentals of Data Privacy and Data Protection Regulations?

When organizations synthesize the idea of the Five Fundamentals of Data Privacy and Data Protection Regulations, they can significantly improve their Data Privacy maturity and make Data Privacy a business advantage. Data volumes, data varieties and data velocity are increasing exponentially. Organizations endeavor to grapple with the headwinds of Data Privacy and Data Protection regulations while trying to also succeed in business. For example, the United Nations Conference on Trade and Development estimates that 128 countries of 194 counties have Data Privacy regulations. The IDC's Global DataSphere Forecast estimated that more data would be created in the next 3 years than was created in the last 30 years. So how do organizations get a grasp on the dizzying array of Data Privacy and Data Protection regulations that exist now and will exist in the future?  After studying Data Privacy and Data Protection regulations for over 20 years, I have found that most of these laws address one or more of five fundamental principles.  I created the five fundamental principles of Data Privacy and Data Protection called  “PPARR” to help organizations in any industry better understand current and future regulations while proactively leveraging the fundamentals to improve their business's data management. Understanding the five fundamentals of Data Privacy and Data Protection regulations will help businesses identify their regulatory risks, create actionable business plans that align with current and future regulations, and rapidly create more knowledge within the enterprise about external changes that impact the organizations. 

What are the Five Data Privacy and Data Protection fundamentals called “PPARR”?

PPARR is an acronym I created to help organizations grasp what Data Privacy and Data Protection regulations aim to address at a high level. PPARR stands for Protection, Purpose, Accountability, Rights, and Retention. PPARR helps organizations better understand the scope of regulations.  For example, the EU’s General Data Protection Regulation addresses all five PPARR areas, while a law like the New York Sheild Act primarily addresses Protection and Accountability (PA). PPARR helps organizations better understand the themes covered in various regulations to make better decisions about how these laws may apply. 

Protection

Protection of data may be articulated in many different ways around the world, but protection is fundamentally about the actions that organizations take to protect the data of individuals. Is your protection a policy or procedure, or is your protection a physical or technical safeguard you have put in place?  Regulations around protection are about not only saying that you protect data but also having evidence of how you protect data. Do you have a record showing how you limit access to data to only key individuals in your organization? Do you take measures to minimize data collection to reduce risk?  Regulations may vary on the level of prescriptive things that are required of companies, like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) in the US State of California may say place a button on your website that says “Do not Sell or Share my Data.” In contrast, other regulations like the EU’s GDPR may say to take “reasonable measures” to protect data. Organizations that do not take action to protect data will be at higher risk of running afoul of Data Privacy and Data Protection Laws. 

Purpose

Most Data Privacy and Data Protection regulations address the need for organizations to define a purpose for which data is being collected. Having a purpose for collecting data seems to run counter to how technology has and continues to make it possible for massive and almost indiscriminate data collection. Implementing tools and technologies that allow for massive data collection and retention requires organizations to think through how they use the collected data and question if they need it. Regardless of the tools and techniques that organizations use to collect data, regulators are looking closely at how organizations assess these tools and what changes they make in how they intend to use or limit features that may have Data Privacy or Data Protection impact on individuals. Collecting data for which the purpose is not clear should be a red flag related to Data Privacy and Data Protection Regulations. Organizations that do not take action to align data collection and data retention with a legal purpose will be at higher risk of running afoul of Data Privacy and Data Protection Laws. 

Accountability

Regulations have endeavored to articulate the roles, responsibilities and resources that organizations must have in place, either internally or externally, to assist with Data Privacy and Data Protection management. Some regulations, like the GDPR in the EU, China’s Personal Information Protection Law (PIPL), and the UAE Protection of Personal Data Law (PPD), and now the recently updated US financial regulation, Gramm-Leach-Bliley Act (GLBA) Safeguard Rule that goes into effect in December 2022, expect organizations to have someone who “owns” the responsibility for Data Privacy and Data Protection. No longer is it appropriate for organizations to have all these responsibilities disregarded so that no one individual has any idea about how data is handled.  The trend is not just saying that organizations must be accountable, but organizations need to be able to express this accountability in more tangible ways. Organizations that do not develop tangible ways to prove accountability will be at higher risk of running afoul of Data Privacy and Data Protection Laws. 

Rights

People have rights! Also, these rights are growing and being articulated more firmly in Data Privacy and Data Protection regulations worldwide. This is the reason I have previously written that organizations need to embrace the idea of individuals as data stakeholders, not just data subjects or customers. The growing rights of individuals are focusing unprecedented levels of transparency between data holder organizations and data stakeholders. To better adapt to these changes, organizations must anticipate and act on the fact that they must be transparent with their data stakeholders to remain aligned with the existing and rapidly evolving regulatory landscape. Organizations that do not take action to protect data stakeholders will be at higher risk of running afoul of Data Privacy and Data Protection Laws. 

Retention

Data retention or lack of data deletion has plagued organizations for decades. The dawn of the digital age meant the creation of more data, the ability to store more data and very few regulatory requirements to purge data. As Data Privacy and Data Protection regulations started to accelerate in jurisdictions worldwide, the regulations are addressing data retention. Some regulations like the Illinois Biometric Information Privacy Act (BIPA) require organizations to delete biometric information within three years, while most others, like the UK Data Protection Act say, only retain data as long as it is “necessary.”  Although data retention requirements may be confusing for organizations, it is clear that indefinite retention of personally identifiable information is no longer an acceptable way to manage data. Data held too long by organizations may decrease in terms of business value, increasing their Data Privacy risks. Organizations that do not take action on what is expected related to data retention or data deletion will be at higher risk of running afoul of Data Privacy and Data Protection Laws. 

When organizations use things like PPARR to understand better the five fundamentals of Data Privacy and Data protection regulations, they will be well on their way to making Data Privacy a business advantage.