#1 It’s the Law – Changes in the privacy landscape is increasing. The EU GDPR was the first major change which was followed by California’s CCPA, Brazil’s LGDP, Canada’s Bill C-11 and the list continues. On a global scale, new privacy laws and requirements are being developed to provide further guidance around valid consent, appropriate security safeguards and additional requirements around data subject rights to name a few.
#2 Data Subject Rights – Changes in privacy regulations are giving data subjects more rights, hence more control over whether and how organizations can process their personal information. Organization’s face significant risks by failing to effectively manage data subject rights. It’s a new game with exposure to severe penalties if not played by the rules. Google was fined 50 million Euros because they weren’t able to fulfill their obligations when it came to data subjects rights, lack of transparency and invalid lawfulness of processing.
#3 Significant Fines – One of the common changes being made across the global privacy regulations is fines for non-compliance. Regulators want to ensure organizations realize the importance of protecting data subjects personal information and ensuring their data is being used in a fair and ethical manner. Fines give regulations “teeth” and reality is when you have teeth you are taken more serious.
#4 Outsourcing Risk – More organizations are using vendors to process personal information on their behalf. This creates additional risks, therefore organizations need to ensure they have a good vendor risk management program that guarantees the data subjects personal information is protected with the same level of protection. The LifeLabs breach represents a milestone case in Canadian healthcare privacy and security. Under the new digital charter not only would LifeLabs be fined for inadequate security safeguards but affected Canadians would be appropriately compensated if their personal data was breached. Another example is T-Mobile, AT&T, Verizon and Sprint were fined due to their inability to adequately protect customers personal data and general misuse including providing the data to third party companies without obtaining customer consent.
#5 Emerging Technologies – Changes in the market…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
