Today in our virtual studio we have Neguiel Hicks – Attorney & Privacy Consultant at GmB Consulting LLC. Neguiel, thanks for finding time for us! Let me jump into our first question straight away.
Data privacy regulations are spreading both nationally and internationally, and more organisations start to incorporate privacy framework to help them manage compliance in 2021 and beyond. Which privacy framework do you recommend and why?
That’s a great question. The privacy frameworks that I see and come across are both the US and Europe. Those are the two that I deal with primarily, almost exclusively, in the US. We have a privacy regulation built around a topic. So, for instance, HIPAA is health insurance information. If you have health insurance and you go to the doctor, that’s very specific. In Europe, they call that special category data. So where the US looks to regulate information or data according to a topic where it’s coming from and what it’s used for, the European approach is much broader. And one of the things that I have noticed from the GDPR perspective, especially with my US clients, was “what is this” and “how does it apply to us”? And the most prevalent market that came from was from the advertising and technology market or the marketing and advertising market, I should say. They really didn’t understand, because we don’t regulate that kind of activity here in the US. And it was so broad that it was kind of off-putting as they didn’t understand until their clients started to say, are you GDPR compliant?
One thing I love about GDPR is that it covers such a broad area, it covers the consumer aspect of it. Here in the US, we are really far behind on regulating that kind of activity. If I had to choose between the two, I’d probably say the European regime is probably much more in a better position to regulate the technologies and the issues that we’re starting to see today.
There will be a significant increase in data subject requests and compliance, what is the best way to cope with the increase of data subject requests?
Oh, that’s a tough question right there. So I have to refer back to my time when I was in information, governance, and e-discovery, and what I saw there is that they don’t understand where their data is and they don’t understand what their data is doing. So there’s a real disconnect between the IT product developers and the legal team that’s working on the regulatory issue. There’s a very big technical disconnect in the sense that the legal team doesn’t always understand what the IT team is doing. And the IT team, when they come into that legal world, either over or under answer a question.
So the best way to cope with an increase of these data subject requests or regulatory requests here in the US is to know where your data is, know what you’re doing with your data, understand the limitations of your technology. And then work on your policies.
Why take that approach? Because the first thing you should do or the first thing you look to do in a high volume response type of environment is you look to automate a lot or as much as you can. Facebook is very good at it: I can enter online a GDPR data subject request and within about 20 minutes I have a zip file that was sent to me. And that’s because it’s automated and they mapped all of their data and they have it all in one place. So they have an API that pulls all that together in one place. Having that in place saves so much time as far as searching it out, identifying the data subject and their data, and then packaging it and getting it to that person, I think with the increase in data subject access requests, you almost have to go to that automated response.
What should businesses consider when it comes to keeping data protected as they continue navigating through COVID-19?
Definitely knowing where their data is and what it’s doing and really being able to harden some of the protections around it. We’re starting to see a lot more. It’s more prevalent now where we have these hacking groups, whether they’re state actors or independent actors that are doing things like shutting off access to your data, charging ransoms for your data, things like that. And you know that they’re adulterating the data or they’re stealing the data when they’re in there.
Data is the new digital oil and it’s a very valuable resource and it’s time to start protecting it like a valuable resource or someone with a valuable resource. I think a lot of money has to be spent, or a lot of budgetary considerations have to be spent, towards that cybersecurity aspect.
In your country, what is their approach to international data transfers? What should we be prepared for in 2021-2025?
So here in the US, we haven’t really changed our way of doing business when it comes to international data transfers until we work with a European client who is very concerned about that. With the CloudFlare and MailChimp decisions that have come out, more European companies are starting to notice that the European regulators don’t want data to be sent internationally. Instead of increased data transfers internationally, we’re going to see the very localised transfer. And what I mean by that is that Europeans are definitely moving towards a European model to keep their data in Europe, and that’s the preference of the regulators.
I think you’re going to see more US companies establish in Europe so that they can meet their GDPR requirements, their international data requirements and also retain their European clients here in the US. As I said, we really don’t regulate a whole lot of international data transfers unless it relates to government type of work, national security type of work. Those are highly regulated. But when it comes to consumer data, we haven’t been very good at regulating that like the European model has been. So I see a lot of localisation in Europe and Asia, to some degree in Latin America. But it’s a little bit harder in there. But I definitely see it out of Europe and Asia, the two that are localising data a lot more. That’s why I think the international data transfers are going to be fewer and fewer further in between because of that localisation effort.
To be continued…