With five data privacy laws coming online in 2023, businesses that operate within the U.S. have had to rapidly adapt to a regulatory environment that more closely resembles the EU. In the new year, the following laws will go into effect and change how affected businesses operate forever:
While the new regulations will protect consumers and grow their trust in the businesses they frequent, it won’t be easy for businesses to get compliant. In our countdown series blog, we’ve been advising businesses on what tasks they need to do and when in order to become compliant in time for 2023’s new state privacy laws.
Although data privacy is becoming an increasingly high profile subject, it can still be tempting to relegate it to the back burner. For those businesses that haven’t moved on data privacy initiatives until now or for those that simply need a reminder, here’s what we covered in our previous installments of our countdown series.
Our six-month blog covered the fundamentals. We talked about which businesses are subject to 2023’s data privacy laws and why compliance is likely in their future even if they aren’t subject to a law today. Most importantly, we talked about developing a data inventory, or record of processing activities (RoPA). This document serves as the foundation for all compliance activities in both the immediate and long term.
If you haven’t already, check out our 6-month countdown to 2023’s state privacy laws to learn all about building your data privacy foundation.
In our three-month blog, we discussed the need to update your vendor contracts with data processing addenda. The state privacy laws coming into effect in 2023 require that businesses that share their consumers’ data with other organizations—such as ad tech firms, payment processors, logistics companies, and more—must have special contractual provisions in place. Implementing these provisions across your contract portfolio can be time-consuming, in part because of the sheer number of vendors you might work with and in part because there is no standard format for these provisions.
If you want to learn more about this process, check out our 3-month countdown to 2023’s state privacy laws.
First; don’t panic.
Compliance is hard, and businesses won’t become compliant overnight. Authorities are likely (though not guaranteed) to go easy on businesses that can demonstrate progress toward compliance. Rather, the businesses that don’t try whatsoever, try to skirt around the law, or are large enough that they should know better will be the likely targets of enforcement.
Second; don’t rush.
There are no shortcuts to compliance—start at the beginning of Osano’s countdown series or with the other resources on our website, consult with legal and privacy professionals, and begin the process of building out your compliance program.
The Navy Seals have a saying that will be relevant to bear in mind: Slow is smooth, and smooth is fast. Cutting corners in the early stages of your compliance program will cause issues down the road.
But if you’ve followed the guidance in this series thus far, read on to review your next priorities.
In this installment of our countdown series, we advise you to carry out three crucial activities:
Your data inventory should contain all relevant information about your data processing activities. That includes:
If you established your data inventory months ago, now is a good time to review and see whether anything has changed. Generally, data inventories should be updated anytime your organization’s processing conditions change, such as when you collect new types of data or onboard new recipients of data. With several state laws coming online on January 1, 2023, it’s worth double checking, even if you believe your processing conditions have remained the same.
If they have changed, then you may have further updates to make beyond your data inventory. Do you have additional contracts that need to feature data processing addenda? Have new data collection practices rendered you subject to new obligations? If so, it’s best to become aware of that now rather than risk a notice from the Attorney General.
If your data inventory is up to date and you’ve got the right provisions in place with the relevant third parties, then you’ll be in the perfect position to update your privacy policy.
Your privacy policy needs to convey much of the information in your data inventory to your users. That includes details like the categories of information you collect, how long you intend to keep said information, who you share information with, and more. There’s a lot that goes into developing a privacy policy; while different laws have different requirements, a great place to start is by working your way through our privacy policy checklist.
Following the guidance in this countdown series is an excellent starting point for compliance. However, a simple three-part blog series can’t cover all of the myriad activities you need to undertake in order to become compliant, especially since compliance programs must be tailored to the individual organization. Furthermore, compliance isn’t a one-and-done activity; it’s an on-going process.
Once you’ve gotten the fundamentals in place, it’s time to plan for how you’ll keep your compliance program sustainable and scalable.
Here are a few things you’ll want to consider:
A lot of what makes a compliance program sustainable is procedural. For instance, defining when and where a privacy professional needs to be involved in the different aspects of your operations goes a long way toward avoiding noncompliance.
Some of it is technological. For example, if you have to manually respond to each DSAR, you’ll quickly become swamped. You’ll want to identify a way to automatically discover data across your organization and a way to automatically act on different kinds of DSARs.
What’s more, you’ll want to document your process, policies, and activities. If you do get in hot water with data protection authorities, having documentation that shows you’ve been working toward compliance will reduce your risk.
As alluded to above, this blog series is about setting up the foundation for compliance rather than “solving” your organization’s compliance needs for all time. Each law and each business has unique requirements and needs, so implementing the right compliance program for your organization will take careful planning and consideration.
Working with a compliance solution provider takes the most onerous compliance tasks out of your hands. That way, you can stay focused on your core business and the compliance tasks that only you can handle. For example, Osano customers gain the benefit of:
We hope you’ve found this countdown series informative and actionable in your efforts to comply with 2023’s data privacy laws. Keep up the momentum on your data privacy journey by scheduling a demo of Osano today.