Data Management Compliance Begins Here

The concept of beginning a task with the end in mind is attributed to the ancient philosopher Seneca in 49 A.D., but more recently to Stephen R. Covey, author of the best-seller The 7 Habits of Highly Effective People. Its relevance here is that so much change is taking place in data protection law that for this piece I focus on what data management compliance really means. 

Everyone is already thinking about these issues in one way or another. Whether you are building a business that collects personal information or building AI tools to support key decisions, here is what you need to know. 

First, here are some key elements of the current legal landscape:

• GDPR (General Data Protection Regulation) applies to all 27 EU member states,
• The EU AI Act applies to all AI Systems introduced or used in Europe,
• 23 states have passed data privacy laws,
• 3 laws & the FTC (Federal Trade Commission) regulate the collection and use of “consumer health data,” information about a person’s past, present or future physical or mental health (including online research),
• 3 states (CO, UT & CA) have passed Artificial Intelligence (AI) laws with TX pending,
• California is enacting ADMT (Automated decision-making technology) risk management regulations,
• All these laws require data protection & AI risk assessments, and
• Trump & the US House have released RFIs for development of a privacy & AI game plan 

Second, here are just a few of the key elements of a game plan for data management compliance:

1. Conduct a privacy impact assessment (or data inventory),
2. Draft new privacy notices that meet these laws & match your actual data practices,
3. Implement data subject rights (right to know, access, correct & delete),
4. Comply with the rules for opt-in/opt out rights, sale of data, targeted advertising, profiling & use of tracking technologies,
5. Draft cyber, data protection & AI assessments,
6. Provide employee training, and
7. Establish reasonable data security safeguards,

While much has happened regarding data management, much more is on its way. You should make wise use of this time - educate yourself, learn where your business model fits into this landscape and incorporate compliance into your product roadmap and company story. It is critical to your success. 

The process begins with a granular assessment of your current and planned data practices. This is far broader than CMMC assessments and cannot be automated. It requires unique expertise. One thing is clear – these challenges are not going away. They will only expand in complexity and risk.

About the Author: Steve Britt is the managing partner of Britt Law LLC. He spent the past 5 years as Counsel, Cyber, Data Privacy & Artificial Intelligence for Parker Poe law firm. Steve holds the CIPP/E, CIPM and AIGP certifications. You can find his blog posts and webinars on these issues HERE.