Transcript:
[00:00:00] Claire McKenna: Hello everyone. And welcome to today’s episode of cyBARR chats. This is the first episode in a special edition series, focused on privacy. A study conducted by pew research center found that 81% of us adults felt that they had very little or no control over the data that companies collect today were joined by healthcare, privacy and compliance experts.
Swathe west. Discuss privacy laws and regulations, which help regulate data collection. So swathe, before we dive into some specific laws, let’s discuss the application of these regulations. In general, since we live in such a globalized world, can you explain how privacy regulations that may be specific to a certain country or area?
For example, the GDPR and the EU still affect companies and organizations every.
[00:00:48] Swathi West: You’re right. That we live in a globalized world, and it’s important to understand that different cultures have different views and regulations on privacy. While many Americans tend to be less concerned with privacy. Other countries in the world have strict privacy regulations and a stronger definition of privacy, that general data protection regulation, which you mentioned GDPR.
As a great example of how privacy changes in our globalized connected world, since the GDPR, as a regulation and the European union EU American companies may think it doesn’t impact. Them, you know, if they have no presents in the EU or no us, um, EU based employees, but many us based companies must comply with the GDPR.
If they offer goods or services to any EU residents or monitor the behavior off EU residents. And you know, this reaches much further than you may think, you may think, oh, you know, we’re not working, um, there in EU or, you know, we don’t reside. If you’re working with any EU residents that may affect. So for example, if your website is based in the us, but still attracts European visitors, you must heat the GDPR.
Similarly, you know, in us, we have California consumer privacy act or CCPA that can affect your businesses, even if you aren’t based in California. And, you know, obviously we can discuss this regulations further throughout episode, but it’s always important to understand that just cuz you’re not in, um, EU you.
You still have to comply with GDPR the same way with, uh, CCPA. If you’re not in California, you might have to still comply with California customer priv, um, consumer privacy act.
[00:02:43] Claire McKenna: Thanks for that explanation. So we’ve discussed the GDPR a little bit and when we think of privacy regulations, the GDPR is often the defacto association.
So can you tell us a little more about this international privacy regulation?
[00:02:58] Swathi West: Yes. I mean, that’s, when you think about privacy, GDPR is big. GDPR is out there. That’s the most strict regulation privacy regulation that we have today. And it is the most thorough privacy regulation that exists in the world.
Today. It was passed in the, in the EU in 2018 and sets guidelines for the collection and processing of personal information of individuals who live in the EU just to, you know, reiterate again, this. This is for collection and processing of personal information of individuals who live in the EU and under GDPR organizations have to ensure that not only are they gathering data legally, but also protecting the data from misuse or exploitation.
This means that companies can be significantly more liable in the event of a data breach on the individual level, the GDPR was designed to give EU citizen. More control over their personal data. So organizations are required to notify customers. If their data was compromised and breached, it also makes it easier for consumers to understand how their data is, is being collected and also used.
[00:04:13] Claire McKenna: Got it. That’s really helpful information. Taking a step back. We’re starting to throw around these terms. What does processing personal data really mean?
[00:04:22] Swathi West: Great question, you know, like, so let’s take a step back, you know, there’s a lot of words, you know, GDPR and then this personal data, but because you know, these, these terms are important.
Uh we’ll I’ll explain you what a personal data is. So personal data is. Any information connected to a person’s identity. So any information that’s connected to a person’s identity is their personal data. So this can include your name, your job, your religion address, and many more factors that would link directly back to you.
Your personal data and processing personal data is collecting. It can be recording. It can be gather. Organizing storing, using, or disclosing or otherwise making personal data available by different electronic needs. So that’s what you are processing a personal data is. And also another big term in GDPR is always a controller.
So controller is the entity that controls the personal data and defines what will be done with it. So, you know, these are, these are very important terms. So thanks. Thank you so much for asking that.
[00:05:31] Claire McKenna: Yeah, that’s a really great explanation for me and for our listeners. So we’ve talked about the GDPR. Um, I’m curious about the us is privacy regulated at the federal level in the US.
[00:05:44] Swathi West: It’s always a question. Um, you know, thank you so much again for asking that because while the us. Doesn’t have a single overarching data privacy regulation in the same way of that. The us, uh, EU does with the GDPR, but there are number of industry specific federal laws that encompass privacy. For example, we have HIPAA.
Which protects patients, personally identifiable information in the healthcare industry, their E Phi. And, um, you know, obviously we covered this, um, a lot extensively in our HIPAA blog. So if you’re interested, please take a look. But we do have HIPAA that regulators at a fellow federal level. Similarly, we have, uh, Graham leach Bailey act, which requires financial institutions to explain their data sharing practices to their customers, to safeguard the sensitive data.
Regardless of what industry you are in. It’s always important to check with your governance and risk and compliance teams or your legal teams to ensure you are complying with that industry specific privacy loss that may apply to your organization. So it’s always, um, you know, good to talk with, um, your legal teams, just to make sure you, you have, uh, that compliance part covered.
[00:06:59] Claire McKenna: Got it. Okay. So we’ve talked about privacy on the international level and now the federal level. So let’s dive into state privacy laws in the us, what state privacy laws exist in the us and how do they affect the rest of the country?
[00:07:14] Swathi West: Great question again. And we talked about GDPR a little bit, which would affect EU residents in the same way we have CCPA the California act, and it is most.
Prominent state privacy law in the us. So it gives customers more control over their data that businesses collect, including the right to know about the personal information that the business is collecting about them, how it’s used or shared, and the right to delete the personal information and also the right to opt out of the sale of their personal information and also the right to non-discrimination for exercising their CCPA rights.
So these are all the laws. Under that CCPA. Um, and another thing to keep in mind is if your business serves California residents and meets one or more of the three requirements that are part of CCPA, you are required to comply. So just to, you know, get more info on that requirements. If you’re having an annual gross revenue of over 25 million us dollars, or you’re annually buying.
Receiving selling or sharing personal information of 50,000 or more consumers, household or devices and deriving 50% or more of your annual revenue from selling customer data. So obviously this is part of, uh, California residents. So always think about these requirements, you know, whether, um, you’re complying with CCPA, you’re getting more information.
You are selling personal information of any, um, residents more than 50,000. You know, keep a, keep a lookout for this, for this long California being the most populous state, we always forget about it. Right. You know, just, um, you ask Claire, what about us thinking? We have so many states and it’s only state regulated for California, but doesn’t mean it’s only for California residents being, you know, California being the most popular state in the country.
Many organizations might be driving 50% of more, um, you know, annual revenue from selling customer data from Cal, for California residents. So it’s always important to understand. You know, whether you have to comply with CCPA, just make sure you work at the requirements. And you know, this means that if a California customer, you know, for example, visits your website and you have cookies, collecting any information that could be linked with their personal identity, you will have to inform them.
And give them an option to opt out. So it’s always, you know, important. You just might be like, oh, this is just a website. This is a cookie collecting information, but you have to always make sure if you’re collecting California residents, personal information, you know, you should give them the ability to opt out or, um, you know, just make sure you.
Make a note that, Hey, we’re collecting the information. And, um, you know, a couple other states followed with California, like Virginia and Colorado, both recently followed California’s example and passed similar, um, comprehensive consumer privacy laws. And we will see this definitely, you know, grow in larger scale in different states throughout us.
And privacy’s gonna be the next big thing. Everyone’s gonna definitely talk about pretty.
[00:10:26] Claire McKenna: Wow. Thank you for all of that insight. That’s so helpful. Um, so you’ve discussed, you know, how a lot of these regulations give consumers more control over their data. My last question for you is what do organizations need to know about how these privacy regulations affect their business?
[00:10:45] Swathi West: Businesses should always work closely with the legal compliance team to understand how privacy regulations affect their business. Um, like we, you know, we talked about right Claire and we talked about EU GDPR, California, HIPAA. I mean, we have compliance regulations that businesses should follow today.
It’s always important to understand which one. You know, do we have to be compliant with, um, how many California residents data are we collecting or, um, how much business are we doing for, with E residents? So these are all the things that you definitely have to talk, um, with your legal and compliance team.
And this might include a privacy at the station, right? Uh, there’s always something we can do in regards to like, What data do we have today and what compliance, um, frameworks or regulations we have to be compliant with. So this might be a privacy attestation, or these might be the discussions that you have to talk with your audit and compliance partner, like BARR and, you know, just to conclude, it’s always good to ask.
And also it’s a best practice for a business to respect consumer privacy. And regardless of regulation, it is good for your business and, you know, good for your customers too, to be open and honest about your data collection practices, let them know what you’re collecting, how would you use and things like that.
And like I said, it’s always good. If you have any questions in regards to like, Hey, what, um, regulations do we have to follow or comply with? It’s always good to talk to your, um, partners like Barb.
[00:12:13] Claire McKenna: Wow. Yeah. Well, thank you swath for all of your valuable insight on privacy regulations on the international federal and state level.
And we look forward to seeing everyone next time on cyBARR chats in our privacy series. Thank you.