[kictanet] Data Privacy Thoughts/Challenges

Wed Nov 21 09:47:02 EAT 2018

While the EU focuses more on regulation, the USA is much better in growing
businesses. Maybe we can learn from US reservations (not just EU
regulations :)

http://fortune.com/2018/10/23/california-data-privacy-law-gdpr/

California’s New Data Privacy Law Could Begin a Regulatory Disaster

By DANNY ALLAN | October 23, 2018

When the European Union adopted the General Data Protection Regulation
(GDPR) in 2016, many in the technology industry saw it as just the first of
many such data privacy laws to come.

They were right. And, as a result, we may be on the brink of a convoluted
regulatory disaster.

In June, California became the first U.S. state to pass its own data
privacy law, the California Consumer Privacy Act. When it goes into effect
on Jan. 1, 2020, the act will provide the state’s 40 million residents with
rights similar to those granted to European citizens through the GDPR.

The hastily approved act gives all California residents the right to see
what personal information is being collected by businesses and to request
that this data be deleted. They will also be able to discover whether
organizations are selling their information to third parties, such as
advertisers, and to request those organizations stop doing so. It will be
the most comprehensive data privacy law in the country.

That said, while the GDPR was criticized for being too ambiguous, it looks
downright hyper-specific in comparison to the California law. For example,
thanks to some loose categorization of businesses to which the act applies,
it has the potential to include not just organizations that sell
individuals’ data for financial gain, but also websites that collect IP
addresses from millions of unique visitors per day.

In 2017 alone, over 1.9 billion files were leaked through security
breaches. After the California Consumer Privacy Act comes into force,
organizations mishandling data could be fined up to $7,500 for each
violation. The financial impact to businesses could be enormous—and that
doesn’t even take into account the soft costs associated with loss of
customer and employee confidence and damage to brand reputation.

Data privacy regulation in America is about to become seriously confusing.
Since the GDPR came into effect, only some states have expanded their data
protection regulations to include breach notification requirements. And
state laws governing data breaches vary significantly: Texas imposes civil
fines of up to $50,000 per violation, while Georgia imposes no penalty at
all.

It’s likely that other states will soon pass their own data privacy
legislation. Just over half the public (51%) thinks technology companies
should be regulated more than they are now, according to a June 2018 report
from the Pew Research Center. As security breaches and privacy concerns
continue to make headlines, public awareness of and demand for stronger
data protection practices are likely to increase.

If each state takes on a local approach to data privacy, America will
become a patchwork quilt of regulation, making it an extremely challenging
place to do business.

Imagine having to ensure that datasets with personal information on
millions of people comply not just with the GDPR, but also with 50
different and sometimes contradictory policies? As people move from one
state to another, presumably the rules regulating their data would also
change. How can organizations possibly keep track?

This is the stuff CIO nightmares are made of.

What we need is common set of rules for everyone, ideally similar to the
GDPR’s, which U.S. organizations doing business in the EU are already
following. This would minimize the regulatory burden while also providing
U.S. citizens with substantial control over their personal information.

A discussion draft of a new proposed House law, the Data Acquisition and
Technology Accountability and Security Act, would create federal standards
for breach notification that would preempt state laws. However, the bill is
too focused on notifying customers of data theft, failing to provide them
with the more comprehensive rights they need to adequately control their
personal data. It will need to be strengthened significantly to meet the
privacy demands of U.S. citizens.

In any case, Washington needs to act soon. Otherwise, the U.S. may end up
with a regulatory scheme that makes GDPR compliance look like a walk in the
park.

Danny Allan is the vice president of product strategy at Veeam.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20181121/9d9c5824/attachment.htm>