January 28 is Data Privacy Day. It’s a relatively new event, as international commemorations go. It began in Europe 15 years ago, to honor the signing of the first-ever data-privacy treaty, which was back in 1981. Today, it’s observed in 51 nations to raise awareness about the importance of protecting privacy and data.
At the time of that first treaty in 1981, everything from your medical record to your passport to your library card were pieces of paper. Your TV had an antenna, not a cable. The height of technology that year was the introduction of MS-DOS and the 3 ½” floppy disk.
Contrast that with today. According to TechJury, the average human created 1.7MB of data per second in 2020 – and by 2025, the cloud will hold more than 200 zettabytes (a zettabye is one trillion gigabytes). While the oft-quoted statistic that “90% of the world’s data was created in the last two years” may not be perfectly accurate, it’s a useful mental image in a field where words like “quintillion” and “exabytes” get thrown around.
Simply put: there’s a lot of data out there on every person.
Also, the balance of our offline and online lives is shifting. We now regularly have conversations about how much of our lives are lived entirely digitally, and what that will look like as the balance continues to favor our digital selves. (For more on this, check out our recent blogs on the metaverse and NFTs.)
If this sounds like a lot of change for regulators to keep up with, it is. And it hasn’t been a perfect process. The United States has seen a web of state privacy regulations in the absence of federal privacy laws. California, Virginia, and Colorado have been leading the charge, with each state enacting their own omnibus privacy legislation – and all three will go into effect in 2023.
It’s time to make sure you understand your data, and your structures protecting it.
Healthcare businesses have an advantage in this data-sensitive world, say the folks at McKinsey: in a 2019 survey of 1,000 consumers, respondents viewed healthcare and financial services firms as most trustworthy. They’re also more likely to trust companies that only ask for information that’s relevant to their products. So what can we do to keep (or earn) that trust?
Here are some starter questions for you to consider with your data teams:
- About your data: What data have you collected in the past? What data you are collecting now? Where is all of that data? How is it being stored? How has it been used in the past, and how is it being used now? How is it being shared? Who has access to it? What have they done with it, and what do they have the capability to do with it?
- About your compliance programs: Are they being updated to calibrate against each of the three new frameworks?
- About your abilities: How will you receive and answer any data privacy rights requests from people in each of those three states?
- About your paperwork: Are your privacy policies up to date? Are your contracts with all of your data third parties up to date?
Information-industry experts are estimating that these new laws could cost businesses hundreds of billions of dollars each year, according to MediaPost. Federal legislation, similar to the European Union’s General Data Protection Regulation (GDPR), is what many see as the answer – one framework, instead of overlapping ones – but for now, that’s just not where we are yet.