IP Essentials: Q&A Series

Q How can my company ensure compliance with privacy law(s) while sharing data with third parties? A To ensure privacy law compliance, consider the following while developing a third-party data sharing policy: • legitimacy (lawful basis for sharing data); • benefit vs. risk; • whether you have rights to share the information; • safeguards governing the data transfer; • developing sharing protocol and agreements; and • keeping the shared data up-to-date and accurate. Q What are the potential penalties for failure to comply with a privacy law? A Failing to comply with the privacy policies and resulting data breach can lead to significant fines that vary on the degree of non-compliance and efforts to alleviate the damaging nature, and the gravity and duration of the violation once discovered. The GDPR allows for fines of ten million Euros or two percent of the noncompliant firm’s worldwide annual revenues, whichever is greater, for less severe infractions. These fines can be doubled for more serious infractions. Additionally, being embroiled in a data breach controversy can also erode trust among the customer base leading to loss of revenue.

California provides for fines up to $7,500 for every record affected by the instance of noncompliance. In addition, the CCPA provides for a private cause of action for California residents whose personal information is exposed in connection with a data breach resulting from a company’s failure to implement and maintain reasonable security practices and procedures. The greater of actual damages or statutory damages of up to $750 per incident are permitted. Q What rights does a consumer have under the privacy laws? A Most data privacy laws require consent from the consumer before collecting and using personal data and require notification when a data breach occurs. Specific details vary among jurisdictions. Under the GDPR, a consumer also has the right to be informed about the collection and use of their data once obtained, a right to access their data, and a right to demand deletion of their data or to restrict processing. Under California law, consumers have the right to seek an easily accessible and understandable privacy policy and the right to non-discrimination (businesses are not allowed to discriminate against consumers who have used or exercised any of the privacy rights given to them by law).

IP ESSENTIALS: DATA PRIVACY

92

93

Made with FlippingBook HTML5