Data privacy rules around the world govern how customer information is used, such as their address, phone number, and other personal information. These laws provide an excellent framework for how data is processed, individual rights, removal requests, penalties for not complying with them, and more.
However, keep in mind that data privacy laws are changing each year. What kind of changes can you expect this year? How will it affect your business in 2023?
Let’s read more in this article to find out what you need to know.
New regulations with U.S data privacy laws
Despite the many proposals made in the past few years, no federal law governs data privacy in the U.S.A. However, individual states are not waiting for the federal government to act and have set up their own acts.
Changes made to state regulations
While 2022 limited progress for a federal regulatory scheme in data privacy. Four states in the USA have made significant adjustments to their data privacy regulations that will go into power this year:
The Virginia Consumer Data Protection Act (VCDPA) has implemented new regulations from January 1st, 2023. The VCDPA has included a few new requirements, including CCPA compliance, opt-outs, data security and more.
The Colorado Privacy Act (CPA) targets Colorado residents. New regulations strictly target data collection regarding advertisement, data processing enforcement and restrictions. In addition, fines can result in up to a million dollars! All new rules the CPA sets will go into power from July 1st, 2023.
The California Privacy Rights Act (CPRA) buys and sells information of hundreds of thousands of consumers and gains more than 50% of revenue from all the personal information sold. New regulations imposed by the CPRA have come into power since new year’s day. They include increased restrictions regarding personal data retention, protecting employee and business contact personal information and more opt-out rights.
The Connecticut Data Privacy Act (CDPA) will come into effect from July 1st, 2023. It has new restrictions that are similar to the other state privacy acts. However, this is only for Connecticut residents.
The Utah Consumer Privacy Act (UCPA): Will take effect from the end of the year, but has similar regulations to the CPA and VCDPA. However, the UCPA still has more enlightenments to data privacy compared to other states, respectively.
The New York SHIELD Act
The New York SHIELD Act encourages data protection at the maximum level to avoid online breaches. Sometimes, it may be difficult for organizations to comply with several security standards, so they’ll use the SHIELD Act standards for collecting and maintaining private information.
Osano wrote an article that goes deeper into what the New York SHIELD Act is all about and how it’s becoming essential to follow new privacy regulations imposed.
Amendments made to The General Data Protection Regulation (GDPR) in 2023
The GDPR is the world’s most significant data privacy regulator and accounts for all data privacy collectors in the European Union and those doing business within its boundaries. In addition, it regulates all private data collected and transmitted across all states within the European Union.
Fines for all states and users who refuse to comply will result in paying up to 20 million Euros. The most fundamental requirements of the GDPR are:
Consent: Data subjects have to be given before personal data is collected. However, personal data is information collected through cookie usage in countries such as the USA. Personal information like IP addresses are not considered personal data in the USA, but this isn’t the case for the GDPR. Data Subject Rights: This covers many important parts and keep in mind that your data subjects should be precise and easy to access on your website. This includes all essential information regarding the right to be informed, access personal data, delete information users don’t want on the website, restrict processing, data portability, and refuse data processing. Notifying users about data breaches: All organizations must inform users about data breach at least 72 hours (three days) before it affects their personal information. The GDPR takes this seriously and will increase controls in 2023 because many data breaches go unreported.
Another important aspect to consider under the GDPR is the secure shredding of personal data. This includes the destruction of both physical documents and digital files containing personal information, to ensure that it is irreversibly destroyed when it is no longer needed. Organisations must have processes in place to properly dispose of sensitive information, such as financial or medical data, to avoid potential breaches and ensure compliance with the regulations.
What can you do to prepare for these changes?
Firstly, your organisation should be well aware of which data privacy law it has to follow.
Secondly, each country has its own local data privacy regulators, so always pay attention to them first. Afterward, the organisation should be vigilant of the data it processes, manages, and collects.
If you are in the United States, you won’t have to follow what the GDPR implies, unless you do business within EU states.
In short, organisations should always inform individuals how their data is collected, stored and obtained.
If you’re still wondering how you will comply with data privacy laws this year, make sure to hire a data advisor or counsel that will provide you with the data management framework and governance plan you need. One key element of this plan should be the use of contract management software. This type of software can automate the process of assessing vendor security and privacy, as well as facilitate the return or deletion of data once a contract has ended. Utilising contract management software can help ensure compliance with data privacy laws and protect sensitive information, making it an essential tool for any data management framework and governance plan.