Data Privacy Laws Impact Every Business—Including Yours
With the rapid proliferation of data privacy laws, it’s no wonder mid-sized organizations are having a hard time keeping up with all of the new regulations. In addition, many companies struggle with understanding how rapidly evolving legislation might apply to them.
For example, if you’re a U.S.-based company that does business from North Dakota, you might not be concerned about privacy laws abroad. However, if your company offers goods and services or monitors user behavior in the European Union or in the United Kingdom, you may need to comply with regulations like EU GDPR and UK GDPR.
This blog explains why compliance with data privacy laws is important for businesses of all sizes. It also outlines key regulations that could impact your business and points to additional resources to help you get started on the path to compliance.
Why Compliance With Data Privacy Laws Is Important for All Businesses
Many organizations believe they are “too small” to be concerned with data privacy regulations, but that’s not necessarily the case.
Yes, it’s true that most of the new regulations apply to organizations of a certain size. This could be based on the number of employees or annual revenue, or it could be because the business deals with a higher volume of consumer information that they buy, receive, or sell.
However, there are nuances to the regulations, and it’s unwise to make blanket statements about who is and isn’t subject to these laws. For example, a doctor’s office or a pharmacy in the U.S. likely has a small staff and limited revenue, but they are subject to HIPAA compliance requirements.
Moreover, just because you’re not regulated today doesn’t mean you won’t be tomorrow. As your business grows, it’s increasingly likely to face compliance scrutiny, so you’re better off following best practices now, so you’re better prepared for when that time comes.
When a particular data privacy regulation applies to an organization, compliance with the regulation is mission-critical to its success, for the following reasons:
- Significant fines can be levied for non-compliance.
- Brand reputation and company growth can be tarnished by news of non-compliance.
- Companies are required to fulfill Data Subject Access Requests (DSARs)—such as notification of consumers’ data that’s being collected or their Right to be Forgotten—within tight time periods.
Skills Gaps and Evolving Requirements
Even though compliance with applicable national and international regulations is important, it’s virtually impossible for most organizations to keep up with evolving legislation. Mid-sized companies often face skills gaps that include the following:
- Generally, the regulations apply to where your consumers are located, rather than where your company is based.
- Each law has its own idiosyncrasies and legal requirements, making compliance difficult without specialized company expertise. (For your convenience, a recap of current and proposed legislation appears in the next section.)
- As data privacy regulations converge with other compliance mandates, companies are faced with the need to safeguard employees’ information that involves personally identifiable information (PII) and Protected Health Information (PHI), all at the same time.
- From a technical perspective, tracking down consumers’ data across different data repositories is extremely challenging, unless the process is automated and managed effectively.
A Primer on Notable Data Privacy Regulations
For your convenience, here is a recap of key data privacy regulations, as well as links to additional resources that will help you navigate which ones apply to your business.
EU General Data Protection Regulation (GDPR)
Considered one of the world’s strictest data privacy laws, GDPR's rules apply to any organization, in any country, that offers goods or services or monitors the behavior of users within the territorial reach of the European Union (EU). GDPR also requires the designation of a Data Protection Officer (DPO).
Go deeper: Refer to Egnyte’s GDPR Guide for specific details about the regulation.
UK General Data Protection Regulation
When the United Kingdom was a member of the European Union, EU GDPR applied to the UK. However, after Brexit in 2020, the UK GDPR regulation was instituted. The law governs the processing of personal data from individuals within the UK.
Go deeper: Additional details about the law can be found on the website of the UK Information Commissioner’s Office.
The California Privacy Rights Act of 2020 (CPRA)
The CPRA redefines and expands the California Consumer Privacy Act (CCPA), which went into effect in 2020 and is currently the most comprehensive data privacy legislation in the United States. In particular, the CPRA will provide consumers with more opportunities to opt-out of targeted messages from businesses or third parties to whom they have sold consumers’ data. And, specific requirements are set forth in the CPRA that direct businesses to utilize deliberate data privacy management systems and processes.
Go deeper: For more information, refer to Egnyte’s CPRA Guide. The new law takes effect on Jan. 1, 2023.
The Virginia Consumer Data Protection Act (VCDPA)
In March 2021, the Commonwealth of Virginia became the second U.S. state to enact a comprehensive data privacy law, and the VCDPA mandates a series of consumer rights, obligations for businesses and penalties related to consumer data privacy.
Go deeper: The VCDPA goes into effect on Jan. 1, 2023, and Egnyte’s VCDPA Guide provides additional details.
The Colorado Privacy Act (CPA)
In July 2021, Colorado became the third U.S. state to enact a comprehensive data privacy law, which is modeled on California’s CCPA.
Go deeper: Egnyte’s CPA Guide provides additional details on the legislation, which goes into effect on July 1, 2023.
Utah Consumer Privacy Act (UCPA)
In March 2022, Utah became the fourth U.S. state to enact a comprehensive data privacy law. It is modeled on components of Virginia’s VCDPA and Colorado’s CPA.
Go deeper: Additional details about the legislation—which goes into effect on Dec. 31, 2023—can be found here.
Connecticut Privacy Act: An Act Concerning Data Privacy & Online Monitoring
In May 2022, Connecticut became the most recent U.S. state to enact a comprehensive data privacy law.
Go deeper: Listen to Egnyte’s Chief Governance Officer, Jeff Sizemore, discuss the act’s impact in this webinar.
Egnyte’s Advanced Privacy & Compliance Solution
With so many companies struggling to understand and comply with all of the new regulations, Egnyte recently partnered with Truyo, experts in data privacy rights management, to provide an Advanced Privacy & Compliance (APC) solution.
APC permits organizations to:
- Conveniently manage DSARs, including individuals’ right to request access or deletion of their data from collecting organizations.
- Assess their company’s compliance and scope with specific regulations.
- Create and review vendors’ technical assessments and evaluate potential risk to consumers’ data.
- Augment cookie consent capabilities, including integration of cookie consent into compliance workflows.
Get started with Egnyte today
Explore our unified solution for file sharing, collaboration and data governance.
LATEST PRODUCT ARTICLES
Don’t miss an update
Subscribe today to our newsletter to get all the updates right in your inbox.