[BreachExchange] What Compliance Needs to Know About Data Privacy and Security

Thu Apr 27 19:29:05 EDT 2017

http://www.jdsupra.com/legalnews/what-compliance-needs-to-know-about-30873/

You don’t have to be a tech-savvy computer genius to address the basics of
data privacy. Like many areas which compliance departments oversee, asking
the right question and getting the right internal controls in place are the
most important first steps to address data privacy concerns within an
organization. The problem is, most companies aren’t.

Data Privacy compliance is built on the same foundation as other regulatory
regimes compliance professionals are already familiar with – the FCPA, the
BSA, and others. Compliance Departments in the healthcare industry are
familiar with data privacy but most other industries have not built an
infrastructure for compliance. That needs to change.

The US lags far behind many other countries around the world in
implementing comprehensive data privacy laws. This means many US-based
compliance professionals are not as familiar with what data privacy laws
are and, equally important, how a company complies. Especially for
companies doing business internationally, this is a small but quickly
growing problem. While enforcement has been low relative to the high
penalties we’ve seen for anti-corruption enforcement, we are experiencing a
perfect storm: the volume of data and sophistication of technology is
growing while more countries are enacting and strengthening data privacy
laws.

Europe has taken the lead in data privacy. US companies used to rely upon a
safe harbor when transferring personal data to the US, such as for credit
card transactions or employee data, but that safe harbor, which had been in
place for 15 years, was struck down in the Fall of 2015. Shortly
thereafter, Germany fined three companies who had been relying on this safe
harbor (after it was struck down). In that enforcement action, Adobe,
Punica (a Pepsi subsidiary), and Unilever were fined $32,000.

Enforcement and legal activity continues at a fast pace. On February 2,
2017, Italy imposed a record data privacy fine of €5.9 million on a UK
company for violating Italian data privacy consent rules. In that case, the
UK company had sent money transfers to China without consent of users. A
few days later, on February 7, 2017, Russia enacted a law increasing fines
for violating Russian data protection laws.

In 2018, the EU’s General Data Protection Regulations will come into
effect, introducing fines of up to €20 million or 4% of annual revenue,
whichever is greater, for data breaches. In the future we may see much
larger fines… now is the time for Compliance Departments to act.

At their heart, compliance departments mitigate regulatory risks – data
privacy laws are not an exception. As a new but quickly growing area of
concern, compliance professionals who take an active approach, putting into
place basic data privacy components, will find themselves far ahead of
their colleagues. Addressing data privacy should be done the same way other
risks are: assess your risk sources, design appropriate risk mitigation
steps (such as policies & procedures, assigning responsibility, training,
and setting up internal controls), and then implement. To do so, compliance
professionals must work closely with their IT department, relying upon them
as a partner similar to HR.

Addressing data privacy is not as easy as other compliance department risk
areas – but it is increasingly dangerous to ignore it. Perhaps just as
worrisome as legal repercussions, we have all seen the adverse media that
results from lax data privacy and control standards – just ask Home Depot,
Target, or Yahoo – who were all the target of data security breaches and
paid dearly in the news for them. Taking the time to put your company along
the right path now will save you time and effort in the future and may even
save you significant fines and bad publicity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170427/01b1b10b/attachment.html>