This is the second part in a series discussing the actions that companies can take to prepare for potential data privacy legislation. Part One summarizes and discusses recently proposed data privacy legislation.
This post, Part Two, briefly reviews how a data privacy assessment can help businesses proactively address potential compliance issues as these legislative options are addressed to minimize the risk of legal noncompliance.
Although the future of data privacy legislation is unclear, the only thing certain is change. In addition to actively monitoring legislative proposals, businesses hoping to shore up their data privacy and security posture should conduct a data privacy and security assessment with the help of a professional who understands current data privacy and security laws and how those laws are changing.
As part of the assessment, well-positioned businesses will at minimum complete a data inventory detailing the information that the business collects and holds, how the data is transferred, and who has access to it. Based on that inventory, the business can take steps to address both internal and external risks with internal policies and plans like an incident response plan, addressing third party vendor risks through contract or otherwise, IT solutions, and reassessing its cyber liability insurance.
Companies familiar with GDPR (General Data Protection Regulation) compliance might have already considered these steps, but many US companies that have not worked toward GDPR compliance would benefit from them too. Although these policies and procedures will require updating as laws change, they can and should be drafted to be adaptable.