Spotlight: How to Implement and Maintain a Privacy Compliance Program
We live in the era of Big Data and, according to estimates, the volume of business data worldwide, across all companies, doubles every 1.2 years. Unlike oil, which is a precious resource of limited availability, data is voluminous – in fact, organizations are drowning in data, and many have unwittingly become data hoarders. But when it comes to protecting those resources, the challenges associated with governing all that data, with the ever-changing data privacy landscape and with cybersecurity threats and potential data breaches have made the stakes.
Learn more on how to implement and maintain a privacy compliance program.
China’s Personal Information Protection Law (PIPL) took effect on November 1, 2021. Do you have data about Chinese residents? Chinese visitors to your website? Chinese employees or subcontractors? Do you buy from China? Yes to any of these questions, and you need to know more about this regulation specifically the importance it places on the role of the DPO.
According to CPO Magazine, “. . . the DPO is the point person under China’s new data protection law for both government and individuals’ inquiries. The law provides that DPOs may be personally liable for neglecting their duties under PIPL, enforced by fines and even criminal penalties.” However, PIPL doesn’t give specifics about DPO responsibilities. Broadly it states DPOs are responsible for supervising the processing of data and adopting data protection measures. DPO duties will center around making sure organizations are responsible stewards of personal information.
It is still unclear which companies must comply with the DPO requirement as specific thresholds have not yet been published by the Cyberspace Administration of China (CAC). Currently, the thresholds are assumed to be large; however, the IAPP estimates that more than 500,000 organizations will need to appoint a DPO in the next few years to be compliant.
Here’s a no-doubter . . . inactivity leads to several health and personal issues such as weight gain, onset of chronic illnesses, or low productivity. Fitness trackers help us stay on track with our fitness goals (perhaps like the ones that make up your New Year’s resolutions), but health information is beneficial to employers also.
Wearable fitness devices and their accompanying apps help us track steps, calories, distance, caloric intake, heart rate and sleep to name just a few metrics. Trips to the doctor’s office to check heart rate and glucose levels are no longer necessary. A quick glance at the wrist may be all that’s needed. Tracking these metrics keeps us personally accountable as we strive towards our individually-tailored fitness goals.
However, employers have taken note and see benefits fitness trackers offer in terms of lowering employee health insurance costs. From fitness-tracking bands to smartwatches, wearable technology is becoming part of employee wellness initiatives. PWC’s study, The Wearable Life 2.0, estimates that by 2020 more than 75 million wearables will be introduced into the global workplace which will earn companies more than $60 billion by end of 2022. It’s believed, however, that the Covid-19 pandemic may have pushed the number of wearables in the workplace even higher. For a number of reasons – moral boosting, heightened productivity, staff togetherness — employers are interested in taking proactive steps to improve workers’ health.
On the flip side, employee and employer concern grows around the security of personal data generated from wearables and transmitted to employers. Last year, personal data of 61 million users was compromised during a data breach suffered by GetHealth, a third-party offering employee fitness incentives. In addition, employers must comply with the Americans with Disabilities Act (ADA). The ADA prohibits employers from making any employment-related decisions based on disability that is unrelated to job functions. An employer that terminates an employee after reviewing the employee’s fitness tracker data may open itself to allegations from the terminated employee.
Wearable technology in the workplace may very well be a step in the right direction for corporate wellness programs. For practical compliance tips and best practices, see the Wonder Who’s Watching You Now article from the Cincinnati Bar Association.
Lawmakers in Arizona, Connecticut, Florida, Minnesota, Mississippi, and Washington have committed to introducing CCPA-like privacy legislation this year. Maryland has pre-filed its bill. Eight other states have bills that carry over from last year: Alaska, Massachusetts, New York, North Carolina, Ohio, Oklahoma, South Carolina, and Vermont. It’s hard to keep up, so here’s a couple of State Privacy Legislation Trackers you may want to bookmark: IAPP Tracker, Husch Blackwell Tracker.
In 2022, US state privacy laws will continue to dominate the news for privacy professionals. Although they may resemble CCPA or GDPR, there will be differences as Virginia and Colorado delivered with their privacy regulations. Privacy regulation differences can include:
- Protection of specific types of data – think HIPAA, FCRA, FERPA, GLBA, COPPA, for example
- Definitions of personal or sensitive data
- Consumer rights
- To whom the regulation applies – exceptions and thresholds
- Data maintained for employment purposes
- What constitutes sale of data
- How the law is enforced and who enforces it
- Definition and obligations of Controllers and Processors (Businesses and Services Providers respectively defined by the CCPA)
- Right to cure
- Private right of action
. . . and the beat goes on. The following table compares just consumer rights differences across current privacy legislation.
Few privacy professionals are confident there will be a comprehensive federal privacy bill any time soon, but could we hope for federal regulations that bring about a few more commonalities?