{"id":60667,"date":"2022-12-16T15:57:42","date_gmt":"2022-12-16T07:57:42","guid":{"rendered":"https:\/\/version-2.com\/?p=60667"},"modified":"2023-02-22T14:31:35","modified_gmt":"2023-02-22T06:31:35","slug":"data-privacy-laws-for-smes-stay-compliant-in-2023-and-beyond","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2022\/12\/data-privacy-laws-for-smes-stay-compliant-in-2023-and-beyond\/","title":{"rendered":"Data Privacy Laws for SMEs: Stay Compliant in 2023 and Beyond"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

\u201cThe house of every one is to him as his Castle and Fortress as well for defense against injury and violence\u2026\u201d<\/em><\/em>\u2014 <\/em>Sir Edward Coke, English judge and jurist.<\/em><\/p>

Coke uttered the famous words across the pond more than 400 years<\/a> ago. For centuries, the legal precedent has underpinned the right to freedom from intrusion. <\/p>

One can only imagine what Coke would think about today\u2019s ongoing privacy debate between consumers, big tech, and legal systems. <\/p>

No longer are homes the only places we store personal information. Today\u2019s companies have multiple options (and incentives) for collecting, storing, and sharing data. <\/p>

As the IT admin of a small-to-medium-sized enterprise (SME)<\/a>, what do these developments mean for you? And what are the essential things you need to know about data privacy laws?<\/p>

Keep reading to learn more about data security versus data protection, the history of data privacy laws, and the most relevant laws in the U.S. and Europe. In addition, we\u2019ll share our best tips on how to strengthen your compliance efforts. <\/p>

Data Privacy Laws and Why They Exist<\/h2>
\"A<\/figure>

The topic of data privacy entered the world stage in 2018. That\u2019s when the Facebook-Cambridge Analytica<\/a> scandal flashed across news headlines around the world.<\/a>The New York Times<\/a> reported that the company harvested the Facebook profiles of 50 million users, without their permission, for nefarious political purposes. <\/p>

Shortly after, several high-profile data breaches further emphasized the need for enhanced data privacy and security regulations. Google+ developers discovered a breach<\/a> that allowed 438 external apps to access 500,000 Google+ users\u2019 data, including names, emails, addresses, occupations, genders, and ages. The result? <\/p>

Lawmakers and regulators worldwide are now taking data privacy seriously. Several laws and regulations have popped up in recent years to protect people\u2019s privacy. The most notable and expansive of these are the General Data Protection Regulation (GDPR)<\/em> in the European Union and the California Consumer Privacy Act (CCPA)<\/em> in the United States. We\u2019ll dive into these regulations in a moment, but first, let\u2019s define data privacy laws. <\/p>

What Are Data Privacy Laws? <\/h2>

Data privacy laws<\/strong> are mandates that govern how organizations can collect, use, and share personal information. The laws exist to protect individuals from having their personal data mishandled or misused.<\/p>

In addition, data privacy laws set standards for how organizations must handle and secure data and give data subjects rights over their information. This often includes the right to know and permit what information is collected, the right to have it erased, and the right to object to its use. <\/p>

The specifics of data privacy laws vary from country to country. But they all aim to achieve the same goal: to protect people\u2019s information from falling into the wrong hands.<\/p>

Benefits of Data Privacy Laws<\/h3>

The benefits of data privacy laws for individual data subjects are self-evident. However, they may seem somewhat burdensome for corporations.<\/p>

After all, complying with data privacy laws requires significant time, resources, and money investments. But make no mistake, adhering to data privacy laws is not only the right thing to do, but it\u2019s also good for business.<\/p>

\"Encryption<\/figure>

1. Enhance Consumer Trust (and Credibility)<\/h4>

In a world where data breaches are becoming increasingly common, customers want to work with companies they can trust. <\/p>

In fact, 71% of respondents in a 2020 McKinsey survey<\/a> stated they would take their business elsewhere if a company released sensitive information without permission. Complying with data privacy regulations sends a strong signal to stakeholders that you take privacy seriously and do everything you can to protect their data. <\/p>

2. Level the Playing Field<\/h4>

Submitting all companies to the same standards means the differentiating factor would be products and service quality, not who has the most lenient data privacy practices. This is particularly important for SMEs that lack the resources of larger corporations and would be at a competitive disadvantage if there were no data privacy regulations.<\/p>

Understanding Data Sovereignty<\/h3>

As noted earlier, different countries have different nuances on data privacy laws, making the discussion on data sovereignty ever-important.<\/p>

Data sovereignty<\/strong> is the concept that data should be stored and managed in compliance with the laws of its country of origin. This is especially critical for companies that operate in multiple countries, as they need to ensure that their data complies with the laws of each country.<\/p>

It also extends to the idea that organizations should store data originating from a country in the same country to avoid subjecting individuals\u2019 privacy to a foreign government\u2019s jurisdiction<\/a>.<\/p>

Data sovereignty has immense relevance in cloud storage applications as companies sometimes host servers in different countries from where the data is collected. Data sovereignty will become even more critical as the internet grows and expands.<\/p>

Data Security vs. Data Protection <\/h2>

People often use the terms data security and data protection interchangeably without realizing they are two completely different concepts.<\/p>

\"person<\/figure>

Data Security<\/h3>

Data security<\/strong> is the practice of restricting access to data. This includes ensuring that only certain users can obtain data and that information is not modified or destroyed without authorization. <\/p>

Data security is vital for both individuals and organizations, as it helps protect information from being misused or stolen. Examples of data security strategies include encryption<\/a>, firewalls, and password protection<\/a>. <\/p>

Organizations can use an IT toolkit like the JumpCloud Directory Platform<\/a> to streamline data security compliance, oversee device management in heterogeneous environments, provision\/deprovision users, and enforce password controls. <\/p>

Data Protection<\/h3>

Data protection<\/strong> involves safeguarding data from loss or damage. It includes measures such as backing up data and storing it in a secure location to ensure that important data is not lost in the event that security measures fail. <\/p>

For example, suppose cyberattackers seize control of an organization\u2019s server in a ransomware attack. In that case, data protection measures ensure that the organization can still access its data. <\/p>

Though relevant as the last line of defense in a wider security strategy, data protection is also handy for other reasons besides malicious attacks. For example, it helps businesses recover from data loss due to technical failures or human error. <\/p>

Also, if different locations house data (e.g., on premises and in the cloud), data protection helps ensure critical systems don\u2019t grind to a halt if one storage location goes down. <\/p>

The Four Basic Data Privacy Protections <\/h2>

Oftentimes, implementing data privacy policies is challenging for organizations because they don\u2019t approach it as a baseline for operations. <\/p>

Instead, they treat it as an afterthought and only focus on meeting regulatory compliance when required. At JumpsCloud, we\u2019ve seen SMEs take a similar approach with IT security compliance<\/a> measures to their own detriment. <\/p>

Organizations seeking to take a proactive approach to data privacy should have the following protective measures in place as mandated by the General Data Protection Regulation<\/a> and other similar laws:<\/p>

  1. Data Collection and Sharing Rights<\/li><\/ol>

    Your privacy approach should include letting users know what types of data you collect, how you use it, who you\u2019ll share it with, and what purpose you\u2019ll use it for.<\/p>

    It should also inform and enable them to exercise their rights over their data, such as the right to access, delete, or correct their data.<\/p>

    They should also have the right to deny third-party access to some or all of their data.<\/p>

    1. Opt-In (Consent)<\/li><\/ol>

      What\u2019s better than letting your users know what data you handle?<\/em> Asking their permission for how you intend to handle it.<\/p>

      It\u2019s common for websites to have pre-ticked boxes that allow users to opt out of cookies or the collection of certain information. This is neither good practice nor in line with the laws, such as the GDPR\u2019s cookie consent requirements.<\/p>

      Require your customers to take clear and proactive action to indicate that they agree to have their data collected.<\/p>

      \"coworkers<\/figure>
      1. Data Minimization and Storage Limitation<\/li><\/ol>

        Only collect and store the data that is necessary for you to fulfill your business purpose<\/a>. For example, suppose you\u2019re a business that sells products. In that case, you\u2019ll need to store data such as the customer\u2019s name, shipping address, and payment information. <\/p>

        Don\u2019t store data such as visitor browsing history on your site or the sites they visit after leaving yours. Furthermore, limit the amount of time you keep data. For instance, you can delete customer data once they haven\u2019t interacted with your site for a certain period, such as 12 months.<\/p>

        Perhaps, the most shocking cautionary tale is the double-header case of AdultFriendFinder<\/a>, where a dating website got hacked twice, and very private information of users was made available on the dark web. What was already a sticky situation became even worse. It turned out that the data of former users who had deleted their accounts were still being kept and were among those leaked.<\/p>

        1. Nondiscrimination and No Data-Use Discrimination<\/li><\/ol>

          This protection requires you not<\/em> to engage in discriminatory behavior<\/a> against individuals who choose to exercise their data privacy rights.<\/p>

          For example, you cannot charge a higher price, refuse service, or give them a lower quality service because they exercised their right to access or delete their data. Also, you can\u2019t use collected data to profile individuals<\/a> along discriminatory lines.<\/p>

          For instance, using data to target ads or content to individuals based on their race, ethnicity, gender, religion, disability, or other discriminating factors could violate your data subjects\u2019 rights.<\/p>

          Evolution of Data Privacy<\/h2>

          As referenced in our introduction, the notion of privacy has been around long before the digital age. Here\u2019s some additional fun facts for the history buffs out there: <\/p>