The Future Of Data Privacy Regulations In Technology

Privacy leaders, as we start 2024, what are you focused on? I share 10 areas where privacy programs may need to adapt in the first half of 2024 in a piece with Law360. These include: 1️⃣ Pixel and Tracking Technology Governance: ☑Validate processes to know third-party pixels/cookies/technologies used ☑Verify data passed meets your standards ☑Honor opt-out signals ☑Offer opt-out rights in new states requiring them 2️⃣ Flows and Uses of Biometric, Health and Wellness Data: ☑Identify health, #fitness, #wellness, and pregnancy products/services ☑Know use of photos, videos, & #keystrokes--which now may be biometric data ☑Understand data flows for these broad new types of health data ☑Determine #litigation exposure and compliance plan for new WA My Health My Data Act (MHMDA) 3️⃣ Privacy and Data Protection Assessments: ☑Revise data protection assessments (DPA) triggers for new types of sensitive #PersonalData ☑Prepare for #California CCPA DPA regulations (including potential board reporting and regulatory filings) 4️⃣ AI and Automatic Decisionmaking Assessments: ☑Prepare for #CCPA AI and #AutomaticDecisionmaking regulations ☑Plan for potential new opt-out rights ☑Discuss potential external consultations with your #AI governance stakeholders 5️⃣ Data Subject Rights: ☑Test rights fulfillment processes ☑Adjust processes for new procedural requirements ☑Confirm opt-out preference signals are addressed and associated with known customers ☑Revisit scoping and risk decisions for access and deletion rights offered for WA MHMDA ☑Prepare to tell people specific third parties personal data is disclosed to ☑Plan for potential new opt-out rights under CCPA AI and automatic decsisionmaking regulations 6️⃣ Opt-ins for Sales of Sensitive Data: ☑If you "sell" sensitive personal data, plan for new opt-in consent requirements ☑Update consent management platform processes as needed 7️⃣ Customer Journeys and User Interfaces: ☑ Do a proactive review customer-facing user interfaces ☑ Compare practices with soon-to-be enforceable #DarkPattern requirements 8️⃣ Privacy Notices: ☑Do required annual privacy notice review ☑Update based new requirements for #privacy notices ☑Revise data subject rights metrics for new required details ☑Align disclosures with your position on #MHMDA ☑Launch consumer #health privacy notice if you deal with #biometric or other types of health data 9️⃣ Customer/Vendor Contracts and Processes: ☑Update contract templates for new required provisions ☑Refine contract templates for developments and emerging risks including for EU-US Data Privacy Framework and AI training ☑Confirm legacy contracts have been updated 🔟Internal Policies and Standards: ☑Review policies/standards for new requirements and risks, including for contracting, assessments, pixels/technologies, data governance, and AI. See the piece for more details, and Happy New Year! https://lnkd.in/gDpEz-fY

📜 The World Bank just published a new report on the laws, institutions and enforcement that supports trusted data markets. Authored by Elena Gasol Ramos, it aims to provide emerging markets a toolkit to build innovative data markets with the trust necessary for growth. 🌍 It offers empirical research across 52 countries, looking at their data protection laws and enforcement authorities as well as how they have been resourced and deployed in practice. 💡 What did they find? - Many/most countries surveyed have strong legal frameworks and institutional arrangements but weaker implementation and enforcement. Unsurprisingly, many of these frameworks are built on the influential GDPR model, but have yet to be fully implemented. - Some countries have "surprisingly" strong enforcement even in the absence of robust legal frameworks. - All 52 countries have adopted the following ten key information privacy practices: 1. Stronger privacy protection for sensitive data 2. Data processing definition 3. Data retention limits 4. Obligation of fair processing 5. Purpose specification 6. Informed consent 7. Reasonable/appropriate security measures 8. Right to access 9. Right to rectification 10. Right to object - On the flip side, fewer than 25% of the countries in the sample exhibited the following practices: 1. Sufficient resourcing of data protection authorities 2. Effective transparency and cooperation (and transparency about cooperation) 3. Redress for individual harm 4. Prohibitions on manipulative interface design 5. Simplified requirements for SMEs 6. Rules for AI-driven data processing. -Data transfer rules offer a noteworthy example of the disconnect between laws and implementation. "[W]hile 88% of the countries in the sample allow businesses to transfer data to third parties when the country where data is transferred to protects data in an acceptable way, only 42% of them provide a list of countries that comply with such requirement.... [W]hile 67% of countries provide for standard contractual clauses as a safeguard to allow cross-border data flows, only 37% of the Authorities surveyed have published or endorsed standard contractual clauses." The report notes though, "The point is not to create bespoke requirements in each country," but rather to have multiple mechanisms to facilitate compliance, particularly for SMEs that can't afford lawyers to figure it all out. ✔️ What does the report recommend? - Simplify requirements for SMEs, embrace risk-based compliance, reduce registration requirements, and increase guidance and resources on cross-border data transfers - Use the toolkit to benchmark approaches against a "minimum package" common to other countries, considering differences in legal regime (civil/common law), income level, region ... Full report: https://lnkd.in/en2PxFue #data #trade #privacy #dataprotection

President Biden’s recent Executive Order on AI leaves one key issue open that remains top of mind for most organizations today – data privacy. The order calls Congress to pass “bipartisan data privacy legislation” to protect Americans’ data. As we embrace the power of AI, we must also recognize the morphing challenges of data privacy in the context of data sovereignty. The rules are constantly changing, and organizations need flexibility to maintain compliance just in their home countries but also in every country in which they operate. Governments worldwide, from the European Union with its GDPR to India's Personal Data Protection Bill, are setting stringent regulations to protect their citizens' data. The essence? Data about a nation's citizens or businesses should only reside on systems within their legal and regulatory purview. We all know AI is a game-changer but also a voracious consumer of data and a complicating factor for data sovereignty. Especially with Generative AI, which consumes data indiscriminately, often stored and processed at the AI companies' discretion. This collision between AI's insatiable appetite for data, the temptation for organizations to use it, and global data sovereignty regulations present a unique challenge for businesses. With the right approach, businesses can harness the power of AI while respecting data sovereignty. Here are a few ideas on how: Mindset: Make data sovereignty a company-wide priority. It's not just an IT or legal concern; it's a business imperative. Every team member should understand the risks associated with non-compliance. Inventory: Know your data. With large enterprises storing data in over 800 applications on average, it's crucial to maintain an inventory of your company's data and be aware of the vendors interacting with it. Governance: Stay updated with regional data laws and ensure compliance. Data sovereignty requires governance to be local also. Vendor Compliance: Your external vendors should be in lockstep with your data policies. Leverage Data Unification Solutions: Use flexible, scalable tools to ensure data sovereignty compliance. Data unification and management tools powered by AI can detect data leakages, trace data lineage, and ensure data remains within stipulated borders. I’ve witnessed how this can be accomplished in many industries, including healthcare. Despite stringent privacy and sovereignty policies, many healthcare management systems demonstrate that robust data management, compliant with regulations, is achievable. The key is designing systems with data management policies from the outset. To all global organizations: Embrace the future, but let's do it responsibly. Data privacy and sovereignty are not a hurdle; it's a responsibility we must uphold for the trust of our customers and the integrity of our businesses. Planning for inevitable changes now will pay dividends in the future. #data