Beyond GDPR: Data Privacy Laws Tighten Up in the U.S.

U.S. businesses and their partners need to plan how they will dispose of consumers' personal information.

January 11, 2019

4 Min Read
Data Privacy


Christina Walker

By Christina Walker, Global Director, Channel Sales and Programs, Blancco Technology Group

Channel-Partners-Insights-logo-300x109.pngAfter years of massive data breaches and more recent flagrant abuses of consumer data privacy, businesses are on high alert and pulling out all the stops to protect their data — and their customers’ personal information.

Businesses will have to gear up to comply with new data privacy laws both in the U.S. and abroad if they want to successfully compete in our global economy. Under Europe’s GDPR law, which went into effect in May 2018, consumer privacy rights were expanded to include a requirement for companies to inform affected parties of a serious data breach. In addition, companies are instructed to abide by lawful processing of data, ensuring each data subject has given consent for their data to be processed and each of the individual’s rights be adhered to. Companies that fail to comply with GDPR will be subject to substantial fines.

The Clock Is Ticking

Adding to the growing global privacy legislation, at least 34 states and Puerto Rico have enacted laws that require either private or governmental entities (or both) to destroy, dispose or otherwise make personal information unreadable or undecipherable. Thirty-one of these laws address digital data specifically, while Arizona’s data disposal law applies to paper records only.

The Federal Trade Commission’s Disposal Rule also requires proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” The rule applies to consumer reports or information derived from consumer reports, which includes personal data and financial information.

Where organizations might be confused is how to properly dispose of this sensitive customer data — and whether their process meets state, national or global regulations. Some might even think shredding hard drives and mobile devices might suffice, but that’s not always true. Physical destruction is the process of shredding hard drives, smartphones, printers, laptops and other storage media into tiny pieces by large mechanical shredders, and it’s a very secure process — most of the time. But there are exceptions. Usable residual data can still remain on the storage media or mobile device and could potentially be recovered with the assistance of advanced forensic tools, making it a potential threat in the event of a data breach.

Software-based data erasure, unlike physical destruction, includes verification that the data has been securely erased. Erased devices are certified to contain no usable residual data, and they’re often able to be reused or resold, saving money and the environment.

Preparing for the California Consumer Privacy Act

Some claim the GDPR is a model for laws that other countries will adopt in the future. And while many thought the GDPR was extreme, California went one step further to pass one of the one of the toughest and most comprehensive data privacy laws in the country. Due to go into effect on Jan. 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) legislates how large companies handle customer data and holds them accountable for the ways to manage, store and dispose of the …

… sensitive data made available to them.

Given its a state law, the CCPA will protect the privacy rights of California residents, meaning businesses will need to comply whether theyre based in California or not. Noncompliance could possibly threaten their ability to do business in the most populous state in the U.S.

Looking ahead to 2019, organizations should assess their current practices with regard to data management — especially customer and personally-identifiable information (PII) — and define a timeline to bring their organizations into compliance prior to the implementation of the CCPA. Primarily, companies should know exactly where their data is, where its being stored and whether it can be retrieved on request. If data cannot be retrieved and securely erased when consumers ask for it, compliance may be shaky and organizations risk being fined $7,500 per violation. By building out best practices to manage data throughout its entire life cycle and implementing audit trails for full visibility, companies will be in a good position to comply with the CCPA and meet other, similar laws once theyre enacted.

As business and computing environments become more complex, service providers can do their part to help companies adapt to a myriad of challenges they face, from data disposal to compliance issues to data privacy and security. By expanding their data management and security offerings, channel companies can attract new customers that have a big stake in securing company and customer data, which is a requirement for doing business and being successful in a global economy.

Christina Walker is the global director of channel sales and programs at Blancco. She manages Blancco’s channel sales team, overall partner strategy and ensures the program is continually evolving to support the needs of the company’s growing list of active partners. Follow her on LinkedIn and the company at @BlanccoTech.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like