As more jurisdictions pass privacy laws, what process do you follow to ensure compliance?
Sort By:
Oldest
Chief Data & Innovation Strategist in Software9 months ago
This is a great question. I just had a conversation with an AI company to see if they are able to create an AI data governance tool that has the capability to track in real-time the proposed laws passed, rejected, etc. With the EU passing the AI Act, along with the US AI executive orders, there is a lot to attempt to track, this needs to be simplified. IT Manager in Construction9 months ago
It's a challenging point especially if you have a worldwide business activity.I would say if you are in Europe, the AI Act has already the pillars to look at but outside the European borders I see just voices.
My suggestion is to look at the AI Act and the OCSE guidelines then get engaged with a major player for the cloud services.
CISO/CPO & Adjunct Law Professor in Finance (non-banking)9 months ago
Disclaimer. I am an attorney, but I am not providing legal advice.Legal compliance can be started in several ways, the most common approaches are by jurisdiction and by data.
If you take the jurisdiction approach, then you need to determine all jurisdictions which your organization in which you organization is holding itself out to do business. Simply put, where could you reasonably sell your products or services. There are myriad nuances but to simplify, if you have a website like some financial services companies that states something like “offer does not apply to residents of XY”. In that case you’re offering the product or service to everyone who can access your website but for residents of XY. If you don’t have any exclusions on your website, then you’re probably including everyone who can access your website. For each jurisdiction you’re selling within, find out the current and likely laws, homogenize them based upon the organization’s risk tolerance and apply the appropriate controls to comply.
If you take the data approach, then you need to inventory all the data you have or can access. Determine how the data is being used, whether the way it is currently being used comports with how it was collected, determine which business processes rely upon the data (more on this later), which data elements are protected under the law singly or in combination with other elements (uniquely identifying a natural person is one test), speak with business units to determine whether new types of data will be collected as well, determine the organization’s risk tolerance and apply the appropriate controls to comply. The reason you investigated which business units rely upon the data is in case there a decision to purge certain data elements, for a compliance requirement or the potential risk to the organization.
Whichever process is used initially, the other process must be performed subsequently. Additionally, each of these processes must be repeated on a regular basis as the organization changes the product mix or locations which they serve.
There are multiple sources of information about cyber/privacy compliance such as the International Association of Privacy Professionals (link below) and law firm blog pages dedicated to tracking current and upcoming laws. These resources are merely guide however, following them doesn’t ensure compliance. Someone with sufficient knowledge of the subject matter, who is held responsible for potential non-compliance should evaluate the compliance situation.
https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
If you’re thinking it is complicated and requires lawyers, then you are correct. If you’re thinking it doesn’t have to be addressed, then look at the FTC’s enforcement page for more clarity.
https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement