Data privacy enforcement is becoming a top risk that companies must consider as part of their enterprise risk management frameworks. Ever since the European Union’s General Data Protection Regulation (GDPR) passed in May 2018, more data protection laws have been proposed around the world. With that, all companies face additional scrutiny in terms of data privacy.
Within the U.S., the California Attorney General’s Office has proposed expanding enforcement authority and class action litigation under the California Consumer Privacy Act (CCPA). CCPA passed in June 2018 in response to the Cambridge Analytica scandal, and it goes into effect in 2020. It is one of the most comprehensive data privacy laws in the United States, and it expands the definition of personal information.
Additional federal and state legislation is in the works, as well. While some of these proposed laws may or may not be enacted, businesses need to be aware of them should they need to act on the changes they could bring about. Electronics recyclers and secure destruction companies in particular help their clients manage loads of personal data, and they must be prepared to help these clients comply with these laws in addition to ensuring their own compliance.
In this edition of Recycling Today’s annual Secure Destruction Supplement, Jeewon Kim Serrato and Daniel Rosenzweig, both attorneys at Norton Rose Fulbright, describe in more detail all the developments occurring in federal and state data privacy laws in the U.S. and how they could affect companies and consumers in 2019. Their article can be found here.
Finland-based Blancco partnered with Washington-based Ontrack to perform a study on data security risks in the secondhand information technology (IT) asset marketplace this year. According to that study, about 15 percent of the used data storage devices they tested contained personally identifiable information, which is dangerous if retrieved by identity thieves or hackers. Read more about this study here.
Companies are responding to these legislative changes and data privacy concerns. Chris Kropac, president of PCI Group Inc., Fort Mill, South Carolina, says regulations are one factor his company considers when handling personal information for its clients. He says PCI chose to use Weima shredders to destroy undeliverable mail for its clients because those machines allow the company to control the shred size of documents that contain sensitive, personal identifying information. For more on PCI Group and its operations, click here.
Secure destruction companies need to educate themselves on new data privacy policies so they can take a consultative approach with their clients. Serrato and Rosenzweig say data privacy “should be a top risk managed by companies as part of the enterprise risk management framework.” They add, “Companies should conduct gap assessments annually to identify any business activities that are in noncompliance or post a high risk to the company.”