June 24, 2021

Making Data Compliance Personal with New Privacy Laws

Christopher Pin

It seems like just yesterday I was blogging about the latest state data privacy law, Virginia’s Consumer Data Protection Act (CDPA), and already there’s a new one to discuss. On June 8, 2021, the Colorado legislature officially passed the Colorado Privacy Act (CPA). The state Senate also voted unanimously to adopt the House amendments to the bill. Once signed by the governor, Colorado will become the third state after California and Virginia to pass broad consumer privacy legislation.

The Basics of CPA

While the CPA—like each of these other laws—has its unique definitions and terms, it largely follows the guidelines of both the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). CPA also picked up a lot of its core requirements from the proposed Washington State Privacy Act, which recently failed to pass.

The new CPA includes guidance on data controllers, data processors, redefining what constitutes a “sale,” and what industries or sub-industries are considered “exempt.” For those who are not entirely exempt, CPA defines which subsets of their data or use cases are in scope. This is all par for the course, and what we can likely expect to see from the remaining 47 states should data privacy go un-regulated at the federal level.

The People Behind the Data

New regulations seem to be coming out faster than ever before. Some of this can be attributed to consumers becoming more aware of and sensitive to the fact that companies are making profits off of their data, considering data as a digital asset instead of a human asset. When companies do this and approach data in a more “business-minded” way, it’s possible to forget there are real people behind all of the data the organization uses to become profitable.

There are multiple reasons for companies to remain cognizant about the people on the other side of the data. Perhaps an individual works in an incredibly sensitive industry, has a medical diagnosis that is not public, or could even be in witness protection. All of these are details most people would not choose to share publicly, yet these details exist in data points that could substantially impact their lives if hacked, stolen, or sold to a malicious group.

Because of the level of personal impact data can have if improperly managed or used, it is extremely important that organizations not only collect just what is needed for business requirements, but also secure that data as if it were their own.

It Starts with Understanding

Laws such as GDPR, CCPA/CPRA, CDPA, LGPD, POPIA, and now CPA at their very core are all about one thing: Understanding your data. When your privacy, infosec, business, or even data governance team is asked, “Where did that data come from?” “Why do you have that data?” “Who is that data pertaining to?” and “Is that data properly protected?” they should have a quick answer, or be able to point to someone who knows. Leadership should also ensure that the business understands where all of its data is, including duplicated data. This is the foundation and building blocks for a great data security and data privacy program.

There is no predicting which state may pass a data privacy law next, or what the federal government could do in the next 6 – 12 months. But one thing is for sure: Understanding what data your organization has and why, everywhere it’s stored, and what the data is intended for will ultimately set you up for success for the foreseeable future.

Understand Your Data with PKWARE

Here at PKWARE, we pride ourselves in having a best-in-class data discovery solution, and one of the only solutions on the market today that can leverage discovery to appropriately protect the various data elements that are discovered. Protection can then be automatically applied as masking, redaction, or encryption; alternately, the discovery many simply be leveraged for reporting.

One thing will always remain true when it comes to data security: You cannot protect what you cannot see. If you’re not leveraging a data discovery solution now, how do you have any assurance at all? Give your business peace of mind when it comes to data with the help of PK Discovery, part of the PK Protect suite. Get a free personalized demo now.

Share on social media
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024
  • Data Breach Report: February 2024
    PKWARE February 15, 2024