Q. My local business now sells to customers globally, and I want to take the necessary steps to protect my client data. What are the first steps to take to get into compliance?
A. Information privacy and security laws that exist outside of New Hampshire frequently apply to businesses inside this state. For example, if you collect personal information about residents of Massachusetts, California, the European Union (EU), or Canada, your business is likely covered under laws from those jurisdictions.
The laws and their applicability:
EU General Data Privacy Regulation (GDPR): Any business that either (1) has permanent or temporary facilities in the EU (2) has an employee living or working in the EU (3) collects information about EU residents while they are in the EU, or (4) signs a contract with another entity that is subject to GDPR, agreeing to comply with GDPR. Personal information is broadly defined to include any information identifiable to a particular individual.
California Consumer Privacy Act (CCPA): Any business that sells goods or services in or into California, and either (1) has annual gross revenue of $25 million or more, (2) has personal information about 50,000 or more individuals, or (3) derives 50 percent or more of its annual revenue from the sale of personal information. Personal information is broadly defined to include any information identifiable to a particular individual.
California Online Privacy Protection Act (CalOPPA): Any business that collects personal information online about California residents.
Massachusetts, California, and other states’ data security laws and regulations: Any business that has personal information about residents of Massachusetts, California or other states with such laws. Personal information generally includes an individual’s name in combination with either his or her (1) Social Security number, (2) financial account number, with or without password, (3) governmental identification number, or (4) other types of personal information depending on the particular state law at issue.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA): Any business that has personal information about Canadian residents to conduct commerce that has real or substantial connection to Canada.
While these laws from different states and foreign jurisdictions may seem confusing, the solution for complying with them – and simultaneously improving your business’ information privacy and security – follows a clear path:
Hire an experienced information security attorney to conduct a comprehensive risk assessment to identify the confidential, sensitive and personal information that the business has and its areas of risk and noncompliance.
Remediate areas of risks and noncompliance, as either required to be addressed by applicable law or appropriate under the circumstances.
Prepare and adopt appropriate policies setting forth the business’ practices and procedures.
Train your workforce with respect to information privacy and security.