Privacy Compliance Newsletter – March

Automating the Data Map: A Bare Necessity! Although the words “Data Map” do not specifically appear in privacy regulations, a Data Map operationalizes the requirement of keeping a record of processing activities (ROPA). A Record of Processing Activity summarizes where data is stored, when and how it is accessed and processed, and with whom it is shared. References to ROPAs explicitly appear in many privacy regulations such as the GDPR, LGPD, POPIA, and CPRA to name a few. ROPAs may also be known as Data Protection Impact Assessments (DPIA) or Privacy Impact Assessments (PIA). In addition to meeting regulatory requirements, Data Maps are used to operationalize core privacy workflows related to consumer and employee rights requests, incident management, retention automation, and even eDiscovery readiness. So why doesn’t every company already have a data map? The biggest hurdle seems to be getting started. Organizations report the manual collection of information necessary to populate a data map is a heavy lift. Much of this time-consuming documentation of systems and processes is due to the cross-functional nature of data collection and flow throughout the organization. In addition, privacy regulations and best practices continue to evolve. Effective use of personal data is becoming more important to organizations, and it is being processed by ever-increasing, innovative technologies. In many cases, privacy teams may be one or two-person teams. What started as a commendable effort to comply with regulations quickly turns into an overwhelming experience for these privacy professionals. Work smarter, not harder To create an automated, accurate, and up-to-date data map, reducing reliance on human entry or assessments is a must. Discovery technology can:

• • identify and inventory both known and unknown systems by connecting to your organization’s CMDB, CASB or IAM for example.

• • scan and classify data within each system whether in the cloud or on premise, whether structured or unstructured.

• • de-duplicate the system inventory.

• • increase program accuracy and efficiency.

Colorado AG Highlights Implementation of CPA

Phillip Weiser, Colorado Attorney General, recently provided guidance on data security best practices and the upcoming CPA rulemaking process. The AG’s remarks were meant to highlight the upcoming implementation of the Colorado Privacy Act set to take effect on July 1, 2023. By this fall a formal Notice of Proposed Rulemaking will be published. Companies following this guidance will be better positioned to comply with the CPA. The CPA describes a “Duty of Care” for controllers which requires them to take reasonable measures to secure personal data. The following summarizes the best practices that may indicate what the AG considers to be reasonable measures. Click for a full description of each measure.

1. Inventory the types of data collected and establish a system for how to store and manage that data.

1. Develop a written information security policy.

1. Adopt a written data incident response plan.

1. Manage the security of vendors.

1. Train your employees to prevent and respond to cybersecurity incidents.

1. Follow the Department of Law’s ransomware guidance to improve your cybersecurity and resilience against ransomware and other attacks.

1. Notify victims and the Department of Law/Attorney General in a timely manner in the event of a security breach.

1. Protect individuals affected by a data breach from identity theft and other harms.

1. Regularly review and update your security policies

The CPA grants three rulemaking activities to the AG:

• • Authority to promulgate rules for the purpose of carrying out the CPA

• • Publish technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.

• • Adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for business that includes a good faith reliance defense of an action that my otherwise constitute a violation of the CPA

Before drafting the rules, the AG’s office will hold high-level meetings and town halls to learn what privacy issues are most important for Colorado residents and businesses. Click to read Weiser’s prepared remarks from Data Privacy Day.

Facial Recognition 101

Simply stated, facial recognition uses technology to recognize a human face.  You may be familiar with it because of your mobile phone.  Apple first used facial recognition to unlock the iPhone X and says the chance of a random face unlocking the phone is about one in 1 million.  In addition to mobile phone authentication, facial recognition is used by social media companies to spot faces in uploaded photos, law enforcement to identify suspects or track down missing persons, retailers for sending targeted ads to consumers, colleges to take class roll, and businesses to replace security badges.  (Click for additional facial recognition examples)  According to a Georgetown University study, it’s estimated half of all American adults have their images stored in one or more facial-recognition databases law enforcement can search. As it becomes more widely used, it’s important to know how it works.  In general, the basic steps are as follows:

1. A facial picture is captured from a photo or video.  The face can be alone or in a crowd; it can be looking straight ahead or nearly in profile.
2. Facial recognition software reads the geometry of the face.  The key factors include the distance between the eyes and the distance from forehead to chin.  The software identifies the facial landmarks or keys (one system identifies 68 of them) to distinguishing the face.  These keys make up the facial signature.
3. The facial signature is a mathematical formula that is stored in a database and can be compared to known faces in one or more databases.

There are benefits to this relatively new technology such as finding missing people, identifying criminals, or making shopping more efficient.  However, it raises privacy issues as there are few rules governing its use.  In addition, facial data can be used to commit fraud or turn a profit for hackers.  They could literally steal your face from databases storing its facial signature. In mid-February, the Texas Attorney General sued Meta Platforms (Facebook) for violating a Texas law requiring entities collecting biometric identifiers to inform users of the collection and sale of such data and obtain their consent.  Meta and other companies such as IBM have recently announced an end to their use of facial recognition technology.  Amazon and Microsoft have limited law enforcement use of their facial recognition technology.

Save the Dates

ID & OneTrust team up to discuss top privacy compliance & Information Governance. Topics of discussion in this program include the following: 

• Exponential information growth for enterprises,
• Management of mobile and cloud data,
• Increasing cyber risks and judicial expectations,
• Implementation of appropriate policies governing information, and
• Remediation and defensible disposition of information.

– Keep an eye out for an invite! IAPP Global Privacy Summit 2022: April 12 – 13, 2022, Washington, DC The world’s premier privacy and data protection conference focusing on international topics, policy, and strategy. MER Conference 2022: May 10 – 12, 2022, Indianapolis, IN MER equips information governance practitioners to better impact their organization’s business objectives