What to Expect for Your Company’s Data Compliance Requirements
I’ve been thinking back to simpler times when data was carried on paper and it required physical access to break into somebody’s files. Outside the hospital and maybe the bank there were few obligations for caring for this information hoard and nobody’s business spent much money to do anything about it.
Now, after digitization, networking, monetization and democratization of hacking tools, everybody worries about data and our businesses are spending billions to manage and protect it. And it’s about to get worse.
I prefer to help companies exploit their data to make money, rather than spend money treating data as a liability, and I would advise any company keeping such data and paying to manage it that your company should be looking for ways to make that data an asset, so it is worth holding. But these days we are paid to help companies comply with the exploding universe of rules for information management.
The US started with sector requirements – children, money, health care, video rentals – and then every state initiated a data breach notice law. A few states dipped their toes in the water of data use restrictions and data storage requirements – little things, really. But we couldn’t ignore what was happening for our trading partners. The Europeans, Canadians and others in the democratic world were treating each datum as if it belonged to the person it described, not the company who collected it (who ALSO was likely described in transactional data).
While our foreign friends had deeply intrusive (to companies) privacy regimes for years, it took the bold and bizarre enforcement regimes of the GDPR to make US law makers sit up and notice, and now the Californians are soon to bring the hammer down with their own version of granting individual rights that take rights away from the companies that serve them. We are all spending lots of money to meet these new rules.
So what is next? I have seen some states like Minnesota get some traction in pushing through similar legislation. I would bet that in three years at least ten different states will have their own – slightly or significantly different – version of data management requirements.
Not only is CCPA onerous, but California is likely to submit and pass a direct voter resolution that can make it much worse and more confusing.
Some people are crying for a federal law to relieve us all of the multi-state compliance nightmare, just like Nell always cries for Dudley Doright to save her from the oncoming train. News: Dudley is grooming his horse, Horse, and can’t hear the calls. Congress will get nothing done this year, likely nothing for years, and if the Executive and Legislative can come together on privacy legislation in the next few years, your company CFO will likely not be happy with the result.
So watch this space for further and more specific discussion of where the data laws will likely take us in coming years, and buckle up for a wild ride.