cyBARR Chats interviews Swathi West, healthcare and privacy manager, to learn about privacy regulations on the international, federal, and state levels.
[00:00:00] Claire McKenna: Hello everyone. And welcome to today’s episode of cyBARR Chats. This is the first episode in a special edition series, focused on privacy. A study conducted by Pew Research Center found that 81% of us adults felt that they had very little or no control over the data that companies collect today. We’re joined by healthcare, privacy and compliance expert Swathi West to discuss privacy laws and regulations, which help regulate data collection. So Swathi, before we dive into some specific laws, let’s discuss the application of these regulations. In general, since we live in such a globalized world, can you explain how privacy regulations that may be specific to a certain country or area (for example, the GDPR in the EU) still affect companies and organizations.
[00:00:50] Swathi West: You’re right that we live in a globalized world, and it’s important to understand that different cultures have different views and regulations on privacy. While many Americans tend to be less concerned with privacy. Other countries in the world have strict privacy regulations and a stronger definition of privacy, the general data protection regulation, which you mentioned GDPR.
Is a great example of how privacy changes in our globalized connected world. Since the GDPR is a regulation and the European union EU American companies may think it doesn’t impact. Then, you know, if they have no presence in the EU or no USDA based employees, but many US-based companies must comply with the GDPR.
If they offer goods or services to any EU residents or monitor the behavior of the residents. And you know, this reaches much further than you may think, you may think, oh, you know, we’re not working. Um, they’re needing you or, you know, we don’t recite. If you’re working with any EU residents that may effect.
So for example, if your website is based in the U S but still attracts European visitors, you must hate the GDPR. Similarly, you know in the US, we have California Consumer Privacy Act or CCPA that can affect your businesses, even if you aren’t based in California. And, you know, obviously we can discuss the regulations throughout our episode, but it’s always important to understand that just because you’re not in EU you know, you still have to comply with GDPR the same way with a CCPA. If you’re not in California, you might have to still comply with California, consumer privacy, consumer privacy act.
[00:02:42] Claire McKenna: Thanks for that explanation. So we’ve discussed the GDPR a little bit and when we think of privacy regulations, the GDPR is often the de facto association. So can you tell us a little more about this international privacy regulation?
[00:02:58] Swathi West: Yeah. So, I mean, that’s, when you think about privacy, GDPR has big due to barriers out there of that’s the most strict regulation privacy regulations that we have today. And it is a most federal privacy regulation that exists in the world today. It was passed any in the EU in 2018 and sets guidelines for the collection and the processing of personal information of individuals who live in the EU.
Just to reiterate again, this. This is for collection and processing of personal information of individuals who live in the EU and under GDPR organizations have to ensure that not only are they gathering data legally, but also protecting the data from misuse or exploitation, this means that companies can be significantly more liable in the event of a data breach on the individual level. The GDPR was designed to give you cities. More control over their personal data. So organizations are required to notify customers. If their data was compromised in a breach, it also makes it easier for consumers to understand how their data is being collected and also used.
[00:04:13] Claire McKenna: Got it. That’s really helpful information. Taking a step back. We’re starting to throw around these terms. What does processing personal data really mean?
[00:04:22] Swathi West: Great question, you know, like, so let’s take a step back, you know, there’s a lot of words, you know, GDPR and then this personal data, but because you know, these, these terms are important. Uh we’ll I’ll explain to you what personal data is.
So personal data is any information connected to a person’s identity. So any information that’s connected to a person’s identity is their personal data. So this can include your name, your job, your religion, address, and many more factors that would link directly back to you. Your personal data and processing personal data is collecting. It can be recorded. It can be gathered. Organizing storing, using, or disclosing or otherwise making personal data available by different electronic means. So that’s what your processing personal data is. And also not the big term in GDPR has always a controller. So controller is the entity that controls the personal data and the two minds, what will be done with it.
So, you know, these are, these are very important terms. So thanks. Thank you so much for asking that.
[00:05:31] Claire McKenna: Yeah, that’s a really great explanation for me and for our listeners. So we’ve talked about the GDPR. Um, I’m curious about the US’s privacy regulations at the federal level in the US.
[00:05:43] Swathi West: It’s always a question. Um, you know, thank you so much again for asking that because while the US doesn’t have a single overarching data privacy regulation in the same way that the EU does with the GDPR, but there are a number of industry specific federal laws that encompass privacy. For example, we have HIPAA which protects patient’s personally identifiable information in the healthcare industry there EPHI.
And you know, obviously we covered this a lot extensively in our HIPAA blog. So if you’re interested at least take a look, but we do have HIPAA that regular to fellow federal level. Similarly, we have Gramm-Leach-Bliley act, which requires financial institutions to explain their data-sharing practices to their customers, to safeguard the sensitive.
Regardless of what industry you’re in. It’s always important to check with your governance and risk and compliance teams or your legal teams to ensure you are complying with that industry specific privacy laws that may apply to your organization. So it’s always good to talk with your legal teams, just to be sure you have that compliance part covered.
[00:06:59] Claire McKenna: Got it. Okay. So we’ve talked about privacy on the international level and now the federal level. So let’s dive into state privacy laws in the US. What state privacy laws exist in the US and how do they affect the rest of the country?
[00:07:14] Swathi West: Great question again. And we talked about GDPR a little bit, which would affect your residents and the same way we have CCPA, the California Act. And it is mostly. Prominent state privacy law in the US so it gives customers more control over their data that businesses collect, including the right to know about the personal information that the business is collecting about them, how it’s used or shared, and the right to delete the personal information and also the right to opt-out of the sale of their personal information and also the right to non-discrimination for exercising their CCPA rights.
So these are all the laws. You know, uh, are under that CCPA. Um, and another thing to keep in mind is if your business serves California residents and meets one or more of the three requirements that are part of CCPA, you are required to comply. So just to get more info on the requirements, if you’re having an annual gross revenue of over 25 million US dollars, or you’re annually buying.
Receiving selling or sharing personal information of 50,000 or more consumers, households or devices and deriving 50% or more of your annual revenue from selling customer data. So obviously this is part of California residents. So always think about these requirements. You know, whether you’re compliant with CCPA, you’re getting more information.
You are selling some information of any residents more than 50,000. You know, keep ’em people look out for this, for this long California being the most populous state. Um, we always forget about it. Right. You know, just you asked Claire, what about us thinking? We have so many states and it’s only stayed regulated for California, but doesn’t mean it’s only for California residents being in California, being the most populous state in the country.
Many organizations might be driving 50% or more of annual revenue from selling customer data from CA for California residents. So it’s always important to understand. You know, whether you have to comply with CCPA and just make sure you work at the requirements. And you know, this means that if a California customer, you know, for example, was it your website and you have cookies collecting any information that could be linked with their personal identity, you will have to inform them.
And give them an option to opt-out. So it’s always important. You just might be like, oh, this is just a website. This is a cookie collecting information, but you have to always make sure if you’re collecting California residents’ personal information, you know, you should give them the ability to opt-out or you know, just make sure.
Make a note that, Hey, we’re collecting the information. And, uh, you know, a couple of states followed with California, like Virginia and Colorado, both recently followed California’s example and pass similar comprehensive consumer privacy laws. And we will see this definitely, you know, grow in larger scale in different states throughout us. And privacy is going to be the next big thing. Everyone’s going to definitely talk about.
[00:10:26] Claire McKenna: Wow. Thank you for all of that insight. That’s so helpful. Um, so you’ve discussed, you know, how a lot of these regulations give consumers more control over their data. My last question for you is what do organizations need to know about how these privacy regulations affect their business?
[00:10:45] Swathi West: Businesses should always work closely with the legal compliance team to understand how privacy regulations affect their business. Um, like we, you know, we talked about very clear and we talked about you, GDPR and California HIPAA. I mean, we have compliance regulations that businesses should follow today.
It’s always important to understand which ones. You know, do we have to be compliant with how many California residents data are we collecting or how much business are we doing for, with E residents? So these are all the things that you definitely have to talk with your legal and compliance team.
And this might include privacy at the station, right? There’s always something we can do in regards to like, What data do we have today and what compliance frameworks or regulations we have to be compliant with. So this might be a privacy attestation, or these might be the discussions that you have to talk with your audit and compliance partner, like BARR and, you know, just to conclude, it’s always good to add.
And also it’s a best practice for a business to respect consumer privacy. And regardless of regulation, it is good for your business. And, you know, good for you, your customers too, to be open and honest about your data collection practices, let them know what you’re collecting, how would you use and things like that.
And like I said, it’s always good. If you have any questions in regards to like, Hey, what regulations do we have to follow or comply with? It’s always good to talk to your partners. Like for.
[00:12:13] Claire McKenna: Wow. Yeah. Well, thank you Swathi for all of your valuable insight on privacy regulations on the international federal and state level, and we look forward to seeing everyone next time on cyBARR Chats in our privacy series.
[00:12:26] Swathi West: Thank you.