GDPR One Year Later: States Addressing Data Security
One year ago, General Data Protection Regulation (GDPR) went into effect in the EU, requiring stricter processes for consumer data collection and use, as well as making it easier for consumers to opt out of data storage. While the US hasn’t enacted similar data protection processes at a federal level, states are beginning to pass consumer data protection laws that mirror the requirements and intent of GDPR.
The California Consumer Privacy Act (CCPA) is the most similar to GDPR in terms of scope. CCPA requires state and local agencies and many third-party vendors doing business with California agencies to implement the following measures by January 1, 2020:
- Data inventory and mapping of in-scope personal data and instances of “selling” data
- New individual rights to data access and erasure
- New individual right to opt-out of data selling
- Updating service-level agreements with third-party data processors
- Remediation of information security gaps and system vulnerabilities
The Washington Privacy Act proposed similar legislation, but was tabled this year as the state takes a closer look at how facial recognition data might fit into the bill. However, Washington, New Jersey, and Arkansas have all passed legislation expanding the scope of data breach laws and more than 32 other states have cybersecurity legislation pending.
With increased requirements on how data is managed being passed at a state level, state and local agencies will require data security risk assessments, data monitoring and process-oriented technology for tracking data use across multiple systems.