When we think of privacy professionals, we usually think of someone with the Data Protection Officer (DPO) designation, but that is a narrow view. A privacy professional does not need to have a DPO title in order to perform privacy responsibilities. A privacy professional is someone who is responsible for, or manages, or supports the collection, use, access or processing of personal information. These roles include security professionals, developers, analysts, sales and marketing, and HR and legal professionals.
Although this definition may seem wide, it is only because it demonstrates that most of us interact at some level with personal information and, therefore, we all have an equal responsibility to protect it. In order to do so, we must understand what the laws are in our role as either data processors (a natural or legal person, public authority, agency or other body which processes personal data on behalf of controllers) or data controller (a natural or legal person, public authority, agency or other body which, along or jointly with others, determines the purposes and means of the processing of personal data).
Here are five reasons why adding privacy knowledge to your professional repertoire enhances your capabilities:
- Do you collect, record, organize, structure, store, adapt, alter, retrieve, consult, use, disclose by transmission, disseminate or otherwise make available, align or combine, restrict, erase or destruct personal data? If you are performing any of those operations as part of your job responsibilities, you may find it beneficial to read Article 5 – Article 17 of the General Data Protection Regulation (GDPR), particularly Article 5 – Principles relating to processing of personal data; Article 6 – Lawfulness of Processing; Article 7 – Conditions for Consent.
- Are you processing the personal data or providing goods or services to members of the European Union? You may argue that you are not based in the European Union, so GDPR is not applicable. Further reading on Article 3 – Territorial Scope will provide context as to why your organization may be in scope.
- Ever heard of the California Consumer Privacy Act (CCPA)? All companies that serve California residents and have at least US$25 million in annual revenue must comply with CCPA. In addition, companies of any size that have personal data of at least 50,000 people or that collect more than half of their revenue from the sale of personal data also fall under the law. Does your company sell personal data? Not sure? Under CCPA, California residents can object to the sale of data.
- Do you work in a multinational company and regularly transfer personal data across your organization, irrespective of borders? If you do, STOP. In case you didn’t know, Safe Harbor and Privacy Shield are invalid. In June, the European Commission pre-approved new standard contractual clauses (SCCs) for use in contracts where personal data is being transferred to third countries. If you aren’t already reviewing the new SCCs, now is the time to start.
- The Luxembourg Data Protection Authority recently fined Amazon €746 million for violations in connection to GDPR. Exact details have yet to be revealed. GDPR allows the EU’s Data Protection Authorities to issue fines of up to €20 million (US$24.1 million) or 4% of annual global turnover (whichever is higher). Can your organization afford to be found in violation of GDPR? The repercussions of non-compliance are financially severe and could also result in reputational damage, which can take years to fix.
As we increasingly become interconnected and global, the use and transfer of personal data also increases, and the risks of misuse, loss and even theft rises. You may argue that none of the above-mentioned scenarios apply to you, but I would ask you to think about how you use personal data in your day-to-day interactions – signing up for a new store card, using the internet, social media, online shopping. All these touchpoints collect your personal data and store it, hopefully in a manner that is safe and secure from unauthorized access. Wouldn’t it be beneficial to understand how you can manage your personal data and also question those who collect your personal data on whether they truly need all the information they ask for?
There are few jobs that don’t process or interact with personal data, so gaining knowledge on how to protect it and be compliant with multiple current and new privacy laws will only enhance your professional repertoire.