In 2020, we saw the California Consumer Protection Act (CCPA) become effective; the EU-US Privacy Shield invalidated as a transfer mechanism under the General Data Protection Regulation (GDPR); and more than 30 state privacy bills introduced during the 2020 legislative session. Privacy requirements at local and international levels are becoming more stringent, and consumers’ privacy concerns are at an all-time high. Here are our 2020 top privacy tips to keep you and your business on regulators’ and consumers’ “nice” list into the New Year.

Train your employees

Employees were the leading source of security incidents in the US in 2020. Providing periodic privacy and security training is essential to combatting data breaches and protecting customers’ data. If your employees handle personal data, they should be trained on key privacy terms; the general requirements of data privacy laws like the CCPA and the GDPR; and company policies and procedures for keeping personal information safe.

Map out your data

Companies must understand what data they are collecting, how it is being used and with whom they are sharing it to comply with privacy regulations, respond to consumer requests and manage risk. Investing time and money in a data map that shows all data entering the company and its path around and out of the organization will prove invaluable when managing vendors; responding to access and deletion requests; and identifying cross-border data transfers subject to international privacy laws.

Review and update your privacy policy

Providing customers with a concise, accurate privacy policy is one of the most important aspects of data privacy. Review your company’s privacy policy at least annually, and update your privacy policy when the company begins collecting a new type of personal information or starts using personal information for a new purpose not previously disclosed. Properly notify your customers of any material changes to your policy and get consent to the new terms if necessary.

Choose your third-party vendors wisely

You likely use dozens of third-party vendors to assist in collecting, storing, and analyzing customer data. Before engaging a new vendor, review its privacy and security policies to ensure the vendor places as much value on data privacy as you do. Typically, you should sign a data privacy agreement with vendors detailing their privacy and security obligations.

Utilize Facebook’s LDU feature

To support CCPA compliance efforts, in 2020, Facebook introduced a new feature allowing businesses to limit how Facebook uses your customers’ data. When a business applies Facebook’s LDU feature, Facebook will be prevented from using your customers’ data for its internal purposes. According to Facebook, you can transfer customer data to Facebook without the transfer being considered a sale of information under the CCPA.

Conduct data protection impact assessments

The GDPR first introduced the concept of a data protection impact assessment (DPIA), requiring companies to assess risk associated with new projects that are likely to involve a “high risk” to individuals’ personal information. Regardless of whether your company is subject to the GDPR, conducting a DPIA before beginning a new project can help your company better understand the privacy and security risks and take measures to decrease or eliminate risks prior to implementation.

Encrypt sensitive data

Most state data breach laws have a safe harbor under which a company is not required to notify customers or authorities of a data breach if the lost data was encrypted and the decryption key was not compromised during the breach. Consider encrypting all databases holding sensitive personal information like credit card numbers, bank account numbers or Social Security numbers to take advantage of safe harbor provisions.

Implement a data retention plan

Data minimization is a fundamental privacy principle found in almost all data privacy and cybersecurity regulations. Creating and implementing a data retention plan is essential to lowering storage costs and minimizing security risks. Remember, you can’t lose data you don’t have. To retain certain data for analytics purposes after the retention period has expired, consider anonymizing the data so it is no longer subject to data privacy laws.