With business being conducted increasingly online and on a global scale, the protection of personal data is becoming increasingly more important. Although the U.S. has no comprehensive federal data privacy statute governing the collection, transfer or removal of personal data, more than a dozen states in the U.S. have passed broad data privacy laws. There has also been a global push for legislation governing the protection of personal information. One of the most comprehensive examples of such legislation is the European Union’s General Data Protection Regulation, Regulation (EU) 2016/679 (the “GDPR”), which went into effect in 2018.
As more legislation is passed, businesses need to be aware of the requirements of data protection to ensure compliance. Although there is no comprehensive federal data privacy law in the U.S., many businesses operate in jurisdictions where data privacy laws already exist. Additionally, trends among state-level laws and the GDPR may indicate the key points of a federal data privacy law, if ever adopted. Both the GDPR and the Delaware Personal Data Privacy Act (which goes into effect on January 1, 2025) (the “DPDPA”) define personal data as any information that is reasonably linkable to an identified or identifiable individual. The laws also share practical guidance around the collection and use of personal data. The GDPR mandates that personal data may only be collected for specific, explicit, and legitimate purposes and cannot be processed in a manner that is incompatible with those purposes. The DPDPA prohibits the processing of personal data in ways that are not reasonably necessary in relation to the purposes for which the data is being processed. Both laws require that the data subject consent for his or her data to be processed or stored. The entity or individual that determines the purposes and means of processing personal data (the “Controller”) must also provide a method of revoking consent that is at least as simple as the method of providing consent.
One of the most important aspects of data protection laws is the security obligations placed on the Controller, as well as the person or entity that processes the personal data (the “Processor”). The DPDPA requires the Controller to establish and maintain administrative, technical, and physical data security practices, but it is crucial that the level of security is appropriate to the volume and nature of the personal data being processed. The GDPR and DPDPA also place security guidelines on the relationship between the Controller and the Processor (although they may be the same in most cases), such as the requirement that any contract between the parties include provisions regarding confidentiality and requirements to delete or return all personal data upon request. The GDPR goes even further by requiring the Controller’s written authorization to allow the Processor to engage another Processor.
Additionally, data protection laws typically require the Controller and Processer to perform a data protection assessment for certain types of data processing. The DPDPA mandates an assessment for processing personal data for the purposes of targeted advertising, and the GDPR mandates an assessment for the large-scale collection of personal data of racial and ethnic origins or political opinions. For the DPDPA, an assessment must identify and weigh the benefits of processing the personal data against the potential risks to the consumer associated with the processing, as well as the mitigating safeguards that can be implemented by the Controller. An assessment under the GDPR must contain a systemic description of the processing operations and its purposes, an assessment of the necessity and proportionality of the processing, and an assessment of the risks to the rights and freedoms of the data subjects.
Proactive personal data protection is critical for any business that comes into contact with personal data, as non-compliance with data protection laws can result in significant legal, financial, and reputational damage. As state-level laws like the DPDPA come into effect and the GDPR influences global standards, businesses must proactively align their practices with these evolving requirements. Failure to implement proper data protection measures may not only lead to fines or penalties but will also affect a company’s ability to maintain customer trust. Additionally, many insurance providers are now requiring companies to have data protection policies in place as a prerequisite for honoring claims related to data breaches. Without such policies, businesses may find themselves without coverage in the event of a cyberattack or security breach, leaving them vulnerable to the full impact of recovery costs and potential litigation. Staying ahead of regulatory changes and establishing strong data governance practices is not just a compliance exercise, it is essential for long-term business sustainability and risk management.
Dated: November 6, 2024
The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials are for general informational purposes only.
