By Neil Jones, Director of Cyber Security Evangelism at Egnyte
Data privacy laws are proliferating rapidly, so it’s no surprise that many MSPs are having a hard time keeping up with all the new and rapidly evolving regulations.
For example, if you have a client that’s based in South Dakota, you might not be concerned about privacy laws abroad. However, if your client offers goods and services or monitors user behavior in the European Union or in the United Kingdom, you may need to comply with regulations like EU GDPR and UK GDPR.
In this blog you will learn the following:
- Why compliance with data privacy laws is important for clients of all sizes
- Key Regulations that could impact you and your client’s business
- How to get started on the path to compliance
Importance of Compliance with Data Privacy Laws
Many organizations believe they are “too small” to be concerned with data privacy regulations, but that’s not necessarily the case.
Yes, it’s true that most of the new regulations apply to organizations of a certain size. That could be based on the number of employees or annual revenue, or it could be because the business deals with a higher volume of consumer information that they buy, receive, or sell.
However, there are important nuances to the regulations, and it’s unwise to make blanket statements about who is and isn’t subject to such laws. For example, a doctor’s office or a pharmacy in the U.S. likely manages a small staff and generates limited revenue, but they are subject to HIPAA compliance requirements.
Moreover, just because an organization is not regulated today doesn’t mean that it won’t be tomorrow. As businesses grow, it’s increasingly likely to face compliance scrutiny, so you’re better off following best practices now, so you’re better prepared for when that time comes.
When a particular data privacy regulation applies to an organization, compliance with the regulation is mission-critical to its success, for the following reasons:
- Significant fines can be levied for non-compliance.
- Brand reputation and company growth can be tarnished by news of non-compliance.
- Companies are required to fulfill Data Subject Access Requests (DSARs)—such as notification of consumers’ data that’s being collected or their Right to be Forgotten—within limited time periods.
Skills Gaps and Evolving Requirements
Even though compliance with applicable national and international regulations is important, it’s virtually impossible for most organizations to keep up with evolving legislation. Small- and mid-sized companies often face skills gaps that include the following:
- Generally, the regulations apply where a company’s consumers are located, rather than where the company is based.
- Each law has its own idiosyncrasies and legal requirements, making compliance difficult without specialized company expertise. (A recap of current and proposed legislation appears in the next section.)
- As data privacy regulations converge with other compliance mandates, companies are also faced with the need to safeguard employees’ information that involves personally identifiable information (PII) and Protected Health Information (PHI), all at the same time.
- From a technical perspective, tracking down consumers’ data across different data repositories is extremely challenging, unless the process is automated and managed effectively.
Notable Data Privacy Regulations
For your convenience, here is a recap of key data privacy regulations, as well as links to additional resources that will help you navigate the needs of your clients.
EU General Data Protection Regulation (GDPR)
Considered one of the world’s strictest data privacy laws, GDPR's rules apply to any organization, in any country, that offers goods or services to or monitors the behavior of users within the territorial reach of the European Union (EU). GDPR also requires the designation of a Data Protection Officer (DPO).
Go deeper: Refer to Egnyte’s GDPR Guide for specific details about the regulation.
UK General Data Protection Regulation
When the United Kingdom was a member of the European Union, EU GDPR applied to the UK. However, after the United Kingdom left the EU in 2020, the UK GDPR regulation was instituted. The law governs processing of personal data from individuals within the UK.
Go deeper: Additional details about the law can be found on thewebsite of the UK Information Commissioner’s Office.
The California Privacy Rights Act of 2020 (CPRA)
The CPRA redefines and expands the California Consumer Privacy Act (CCPA), which went into effect in 2020 and is currently the most comprehensive data privacy legislation in the United States. In particular, the CPRA will provide consumers with more opportunities to opt-out of targeted messages from businesses or third parties to whom they have sold consumers’ data. And, specific requirements are set forth in the CPRA that direct businesses to utilize deliberate data privacy management systems and processes.
Go deeper: For more information, refer to Egnyte’sCPRA Guide. The new law takes effect on Jan. 1, 2023.
The Virginia Consumer Data Protection Act (VCDPA)
In March 2021, the Commonwealth of Virginia became the second US state to enact a comprehensive data privacy law, and the VCDPA mandates a series of consumer rights, obligations for businesses and penalties related to consumer data privacy.
Go deeper: The VCDPA goes into effect on Jan. 1, 2023, and Egnyte’sVCDPA Guide provides additional details.
The Colorado Privacy Act (CPA)
In July 2021, Colorado became the third U.S. state to enact a comprehensive data privacy law, which is modeled on California’s CCPA.
Go deeper: Egnyte’sCPA Guide provides additional details on the legislation, which goes into effect on July 1, 2023.
Utah Consumer Privacy Act (UCPA)
In March 2022, Utah became the fourth U.S. state to enact a comprehensive data privacy law. It is modeled on components of Virginia’s VCDPA and Colorado’s CPA.
Go deeper: Additional details about the legislation—which goes into effect on Dec. 31, 2023—can be foundhere.
Connecticut Privacy Act: An Act Concerning Data Privacy & Online Monitoring
In May 2022, Connecticut became the most recent U.S. state to enact a comprehensive data privacy law.
Summary
As you can see, ten percent of US states are anticipated to have data privacy laws in place by the end of 2023. We anticipate further data privacy legislation to be passed in the United States, and internationally, in the near-term. Please reach out to your Egnyte partner account manager for the latest developments.