Data security and privacy legislation have rapidly evolved over the course of the pandemic. Many businesses are just beginning to adapt their data security and collection habits – recognizing the severity of falling behind. Today, regulations are expanding. Businesses must be aware and adhere to an ever-increasing number of not only state and U.S. regulations, but also international laws from the world at large. Whether you are just beginning your data protection journey or are seeking to update and improve your existing program, Brian McGinnis, Data Security and Privacy Attorney at Barnes & Thornburg, provides actionable steps below to work towards compliance.
It’s not a matter of if, it’s a matter of when. One of the best ways to stay compliant is to be informed. Senate Bill 358 regarding consumer data protection would plan to establish a new article in the Indiana Code. This bill seeks to empower the consumer to understand how an entity is processing their personal data and allows the Attorney General to investigate suspected or actual violations of the new article, similar to new laws in Virginia and California. While it did not pass this session, the bill demonstrates privacy is a priority for lawmakers in Indiana. On the cybersecurity side, House Bill 1351, Disclosure of Notification of Data Breach, sets requirements for notifying the AttorneyGeneral's office within 45 days of discovering the breach. This standard would set expectations and a clear timeline for communicating a breach.
Although Indiana is one of the first few states prioritizing privacy legislation now, McGinnis shares the importance of widening the scope. No matter the industry or size, every business hosts some form of personal data, likely from multiple locations. For those who have not thought about data privacy or have not updated their compliance efforts in the last year, it’s significant to consider what’s happening in California, Virginia, Colorado and even the European Union’s General Data Protection Regulation (GDPR). McGinnis assists clients to maintain compliance standards with all applicable privacy laws, explaining the global strategies for auditing personal data collection. Recognizing where your data collection is on a global scale will prevent risk and liabilities in the future.
If you have avoided the compliance conversation to date – McGinnis explains it is “no longer optional.” Businesses will need to start meeting compliance standards of individual state laws and anticipate federal legislation. Some important questions to ask your organization are:
o What data do we have?
o How do we plan to continue collecting information?
o How are we processing it?
o Who are we sharing it with and how are they protecting it?
Most organizations are not 100% compliant with all laws, nor will they achieve this standard. However, new legislation proves a need to start these conversations. If you are curious where to begin, on March 15th at Tinker House Events, Blackink IT will be hosting a PEST Analysis Approach, Upcoming Risks for 2022. McGinnis will dive deeper into the latest updates and trends in the data and privacy space and provide practical advice to reduce your business’ privacy risks. Join us at the link here.