data privacy and security GDPR and CCPA.

Data privacy and security for virtual events: 6 steps to adhere to GDPR and the CCPA.

Views: 14419

The complete platform for all your events

Book a Meeting
Posted on August 3, 2020

The topic of data privacy and security is in the mainstream media, and people have begun to realize the value of their personal data.

Yeah, it’s happening like in the movies. Anyone who has watched “Terms and Conditions May Apply” and “The Great Hack” know what we’re talking about.

If you’re still not convinced, look at how hyper-segmentation on advertising campaigns is arriving on your cell phone immediately after you show interest in a specific subject.

There is even a debate over the extent to which it has influenced presidential elections.

  • Hyper-Segmented Digital Marketing
  • Industrial espionage
  • Identity theft
  • Frauds
  • Blackmailing
  • Credit card cloning
  • Ransomware, phishing (demand a rescue pay to return your data)
  • Buying cell lines to perform illegal activities involving you
  • Open checking accounts in your name to launder money
  • The basis for target identification and planning for physical hijackings
  • Requesting false health insurance reimbursements on your behalf
All the techniques that can turn your behavior into a spreadsheet

Ginni Rometry, CEO at IBM from 2012 until April 2020, knows exactly what is going on and has spoken about it a few times:

“Data is the natural phenomenon of our time. It is the new natural resource in the world. It is the basis of competitive advantage and is transforming all professions and industries. If all of this is true, then cybercrime is the biggest threat to every industry and every business in the world. ”

https://www.youtube.com/watch?v=vhWB-0CKewc
Doubts about technology.

2. Is technology a problem, then?

The problem is definitely not technology. Our problem is changes in our society as a whole.

As technology accelerates everything, it is doing a crime.

According to Statista, the global cybersecurity market is predicted to grow from $167.1B in 2019 to $248.26B by 2023, attaining a 10.4% CAGR.

Hence the need for a more robust regulatory environment, with important and updated definitions, which accompany the environment of constant technological innovations.

The privacy of sensitive personal data and anonymization, focused on the individual, must be respected with regard to the final customer and also the business environment.

strategies for business

3. Does the law apply to my business?

GDPR applies to entities that collect, store, or process data from natural persons located in the EU, regardless of nationality and residence in the EU.

  • Employees
  • Providers
  • Consumers
  • Visitors

The CCPA applies to businesses that collect personal information from California residents. However, the law does not apply to any company. The CCPA defines business as an entity that:

  • Collects personal information from consumers,
  • Determines the purpose and means of processing personal information,
  • Does business in the State of California, and
  • Meets one or more of the next requirements:
    • Has annual gross revenue in excess of $ 25 million;
    • Alone or together, per year, buys, receive, sells, or shares, for commercial purposes, personal data of 50,000 or more California residents, properties, or appliances;
    • Earns 50% or more of annual revenue from selling personal data to California residents.
security in technology

4. What are the main obligations imposed by the GDPR and CCPA?

  • Report affected holders and authorities about leaks
  • The strict, free, clear, unambiguous consent of the uses for any specific purposes
  • Appointment of a DPO (“Data Protection Officer” or someone in charge of the treatment of personal data”)
  • Specific requirements on data transfer, portability, and forgetfulness
  • Conduct a pre-project DPIA, Data protection impact assessment (GDPR official website template of how to conduct a DPIA)

a. Penalties

GDPR: Administrative fines of 10 to 20 million euros or 2 to 4% of the entity’s global annual revenue, whichever is greater.

CCPA: the maximum penalty of the CCPA is $7,500 and is reserved for only intentional violations of the CCPA. Other violations lacking intent are going to remain subject to the preset $2,500 maximum fine.

b. Term

GDPR: effective since May 2018

CCPA: effective since Jan 2020

c. Inspection

GDPR pillars:

  1. Transparency
  2. Compliance
  3. Punishment

CCPA pillars:

  1. See your customers
  2. Know your customer
  3. Respect your customer

As those are conceptual pillars, getting to know each regulation in detail would demand a deeper study of both regulations.

But their procedures, in summary, seem to be very similar:

Firstly, they receive communications about the occurrence of any security incident that may cause significant risk or loss to data subjects (data breach notification).

Then, there’s an investigation, with established preparatory procedures, including public civil inquiry and administrative procedure if applicable.

Also, after the investigation, an action of sanctioning based on proposed lawsuits might occur.

responsibilities for data security

5. Benefits of GDPR, CCPA, and other data privacy and security regulations

  • Safer online and physical environment, with minimized risks
  • Avoidance of fines
  • Better sleep for individuals
  • Much better sleep for executives, as information security has been a big cause of preoccupation for high administration members and other businesses representatives for years
computer privacy

6. Six steps to hold virtual events that comply with the latest data privacy and security regulations

1. Work to get the right sponsors

This is a matter to be treated with the high administration: senior management, board of directors, and/or advisory committees.

2. Perform a detailed diagnosis to define the scope of what needs to be done to comply with the legislation.

  • Map information that needs to be protected, areas, systems, environments, platforms, and professionals that need to be involved.
  • Identify policies that need to be created or existing ones that need to be updated.
  • Identify documents that need to be reviewed, like consent terms.

3. Appoint a DPO (Data Protection Officer) with the following main duties:

  • Coordinating data protection efforts across all departments involved.
  • Participating in projects to ensure privacy by design since the very first project scratch.
  • Conduct and monitor a DPIA.
  • Promote awareness as a best data protection practice
  • Insert data protection on the organization’s agenda until the subject is part of the culture
  • Be the touch point with regulatory authorities

4. Establish policies

  • Classify information (public, restricted, sensitive, confidential, or critical)
  • Communicate frequently with authorities (particularly important in case of leaks)
  • Implement a robust information security program, including periodic monitoring and testing
  • Test vulnerability and data encryption on the internal network regularly
  • Make employees and stakeholders aware

5. Data privacy and security needs a professional approach

Above all, consent must be provided in writing or by any other means that demonstrates the effective manifestation of the holder’s will in a detached clause of the other contractual terms.

Firstly, if this consent is changed from its initial purposes, new consent must be obtained from the holder the consent can be revoked .

In addition, it’s also good to remember that consent models have distinctions.

Opt-in marketing or commercial messages, for instance, are only sent to those who express their prior and explicit consent to receive them.

6. Information security culture, engagement, communication, and training

A legal or physical controller that collects personal data and makes all decisions regarding the form and purpose of data processing is commonly found in the figure of a DPO or CTO.

Moreover, this DPO (Data Protection Officer), will be the bridge between the shareholders, public authorities, and the operational IT team.

They’ll also be responsible for guiding employees that are out of the data processing practices, promoting a clear and objective data protection culture.

Thus, processing any operation performed with personal data, such as collection, use, processing, storage, and disposal, needs to have the supervision of a data specialist. And employees, in turn, must be cyber-aware in order to understand how to protect their personal data.

new ebook about the impact of Covid-19 on corporate events

Keep learning! Take advantage of our free and always updated resources:

 

WebManager
© InEvent, Inc. 2024