Privacy Risks With Data Sharing
Sharing any personal data with third parties exposes institutions, companies and Chief Risk Officers to the risk of non-compliance with Data Privacy Laws. In addition to EU's GDPR, new US Privacy Laws such as California's CCPA and Nevada's Senate Bill 2020 imposed more stringent obligations on organizations. Any violation of these laws when sharing personal data can result in fines worth millions.
In this article, we will share with you the best practices to follow when data sharing such data with third parties so that you can minimize the risk of non-compliance. We believe that organizations should leverage their existing Data Governance artifacts and processes to handle Privacy strategically.
Allowing third parties access to your databases, sharing personal details of individuals with marketers or data brokers, and storing personal data on third-party cloud servers are examples of sharing personal data with third parties.
Sharing personal data with third parties comes with certain data privacy risks, not having to do with your third party at all. Malicious actors sometimes target personal data in transit, and once they have obtained access to the content of personal data, they can use it for harmful purposes or even transfer it to yet other parties. So, it is essential to ensure that the receiving third party's IT network and security protocols are secure enough to protect shared data against cyber threats. That is your responsibility.
US Privacy Laws Bring New Challenges For Data Sharing
Growing concern over privacy protection is reflected in new legislation and monetary fines outlined in those legislations. Sharing personal data with third parties in violation of GDPR, for example, can result in penalties as high as 4% of annual revenue or 20 million Euros. BOUNTY, a UK Company, was recently fined 500,000 Pounds for selling personal data to third-party data brokers.
Newly enacted US Privacy Laws introduce new challenges for data-sharing. The California Consumer Privacy Law (CCPA) requires that consumers be provided with 'do not sell my information' option. Any violation may lead up to a 7,500$ fine per record (if intentional). Nevada has updated its privacy law, and it gives citizens the right to opt-out of the selling of their information.
Furthermore, sharing personal data with overseas recipients creates legal uncertainties and increases non-compliance risks. The EU Court of Justice recently struck down EU-US Privacy Shield, and not updating existing data-sharing agreements can lead to regulatory fines.
Considering these risks, implementing a robust data privacy strategy is critical to compliance with US privacy laws and avoiding fines for data sharing operations.
Best Practices To Follow To Achieve Us Privacy Law Compliance
To mitigate the risk of violating invading privacy laws while sharing personal data with third parties, adopting the following practices will be useful.
1. Implement Third Party Vetting Programs
Conducting a risk analysis on potential third party recipients will help identify mitigation opportunities for privacy law violation risks (see Prodago's Privacy Accelerator, which includes a very extensive, if not an exhaustive collection).
An organization is responsible for any mishandling of personal data by third parties it deals with. Something as simple as retaining the data for too long can fall back on you and subject you to regulatory action. If the third party does not store the received data on a secure system and the system gets breached, this is also likely to lead to facing monetary fines, sometimes worth millions.
For instance, Facebook is under investigation for GDPR violation because it allowed a third party to access personal data. It, in turn, stored the data on an unsecured public server.
Therefore, any organization needs to implement a third-party vetting program to ensure that adequate checks and balances are applied before sharing any personal data. In this context, here are some questions you should be able to answer:
Does the recipient party store personal data on a secure server? If they rely on their own IT infrastructure, you should evaluate how secure their system is. If they store data on cloud servers, you should also investigate how safe personal data is on this cloud and vet the cloud provider. For example, if personal data is not encrypted and easily accessible, you have a dangerous situation on your hands.
To ensure that the recipient adheres to the best security standards, you should ask for previous IT audits and security certifications such as ISO and SOC-2.
You should also check the policy of the recipient in terms of employee access to personal data.
2. Increase Data Privacy Awareness within Your Organization
Most of your organization departments such as Human Resources, Marketing, Sales, and perhaps Legal may share personal information with third parties. For instance, HR may give third-party headhunters access to your employees' database. Your marketing team may share customer information with data-augmentation suppliers (e.g., Acxiom) for richer segmentation capabilities.
To comply with US Privacy Laws, increasing the awareness of Privacy in your organization is crucial. If your employees keep privacy considerations in mind and follow specific procedures or directives while sharing personal data, the risk of violating privacy laws will be significantly reduced. For instance:
You should train your employees so that they understand the importance of Privacy. Violation of data privacy can lead to both high monetary fines under privacy laws and reputational damages. When your employees comprehend why they should care about Privacy, studies show they will be more diligent when sharing personal data.
You should also train your employees on protocols and procedures to follow if they intend to share personal information. They should be aware of how to document data sharing, share it with, vet the third party, and make sure the third party adopts the necessary security measures. If they perceive any risks, they should know how to get help from IT or their legal team and avoid proceeding.
Employees should be aware of phishing scams, which can trick your employees in sharing sensitive personal information such as addresses, bank account details, or passport details. Your personnel should understand how to detect and protect themselves against such types of attacks and report it before sharing any personal information and subjecting you to privacy law violations.
3. Decide If Sharing of Personal Data Is Necessary
It would be best if you determined first whether sharing personal data is necessary to achieve a particular objective and whether there are less meddlesome ways to accomplish it. Depending on the circumstances, sharing personal information may not be required.
Perhaps you can anonymize personal data to avoid being subject to privacy compliance requirements
You can minimize data privacy compliance risks much by anonymizing personal data. For instance, in terms of GDPR, anonymized data means that this data cannot be used to identify a specific individual so that there are no risks to rights and freedoms. If you anonymize personal data that you will share, GDPR will not apply to the sharing of such anonymized data, and you will not be subject to GDPR requirements and risks of monetary fines. You will no longer have to obtain consent from individuals or inform individuals of sharing.
Just as GDPR, de-identified, or aggregated consumer information does not fall under the scope of the CCPA. It is worth asking the questions as you remove many headaches.
The more personal data is shared, the higher the risk of violating data privacy laws. If unnecessary personal data is shared, a data breach's adverse effects will be higher on individuals. The monetary fine will probably commensurate the extent of data involved. Therefore, adopting policies and procedures to ensure that only the relevant personal data (e.g., fields, elements) are shared is critical to minimize privacy risks.
GDPR, for instance, actually specifies that you only collect and share the relevant (or minimum) personal data.
4. Have a Data Sharing Agreement
Having a Data Sharing Agreement(DSA) with a third party is always a good practice to comply with US Privacy Laws and GDPR. A DSA is a binding legal agreement signed between you and the receiving party, and it clarifies the rights and obligations of both parties.
While a DSA does not exempt you from privacy law compliance and facing legal action, it can be highly beneficial in your compliance efforts:
A DSA helps you demonstrate that you have considered relevant data privacy issues while sharing personal data. Explaining the justification for sharing data, imposing data security obligations such as data transmission on the receiving party, and determining if other parties will access personal data are examples to put in a DSA to document your compliance efforts.
Having a DSA may be a necessary step to comply with relevant privacy laws. For instance, GDPR article 26 requires that you must have an 'Agreement' in place with the joint controller, and a DSA will fulfill such a compliance requirement.
What to include in a DSA?
A DSA explains the purpose of the data sharing, defining legal grounds, and identifying other third parties that can access data. These are all part of good planning to demonstrate compliance with any US Privacy Laws.
To minimize the risk of non-compliance, you should also consider adding the following in the DSA:
Introduce rules and procedures for retention and deletion of personal data.
Impose technical and organizational security requirements on the receiving party to minimize the risk of non-compliance.
Specify which datasets you will share so that no excessive sharing of data occurs.
If the data is transferred overseas, consider the current rules concerning international data transfers. The EU Court of Justice has recently struck down the EU-US Privacy Shield.
5. Adopt Procedures for Secure Transmission of Data
Sharing personal data in an unsecured way, such as via e-mail, may expose the personal data to vulnerabilities. The majority of secure data transmission methods use encryption techniques such as SSL and TLS.
You can set out the following rules in standard procedures:
In what ways and when can personal data be shared;
Whether IT or Legal should be consulted first or;
Whether there needs to be approval before sharing personal data.
If you adopt standard procedures for secure transmission and train your workforce to follow these, the risk of unsecured personal data sharing will be minimal.
Achieving compliance with various complex laws, including stringent requirements, and US Privacy Laws certainly are and do, is a big challenge. Privacy Compliance is not a destination but rather a process where many teams' collaboration is required.
To avoid the risks of facing fines and suffering reputational damage, take necessary security measures, stay updated with recent developments, and make sure that your workforce comprehends the importance of Privacy and the cost of negligence.
Considering that new US Privacy Laws in states such as New York and Massachusetts will likely be enacted and impose new businesses' obligations, expect that personal data sharing will be subject to stringent requirements. Adopting a robust strategy for data-sharing will be useful no matter what happens.
Note: For more information on how individuals can stay safe and protect personal information, you can visit the Data Privacy Day website, an international effort to empower individuals and business to respect privacy, safeguard data and enable trust.