February 18, 2022
US Privacy Compliance: Step 1 – Discovering and Mapping Personal Data
4 Min Read
It is well documented that the privacy landscape in the US is becoming a more complex space to navigate – especially given the passing of the Virginia Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA) in the first half of 2021, and the Utah Consumer Privacy Act (UCPA) and Connecticut Data Protection Act (CTDPA) in the first half of 2022. On top of this, new comprehensive privacy bills are still being discussed, in states like New York for example – a theme that looks set to continue for the foreseeable future, ￼or until a federal privacy law, like the current ADPPA bill submitted to the House of Representatives, can be agreed upon.
With the CDPA, CPA, UCPA, and CTDPA in mind, as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), organizations operating in the US need to understand what data they are collecting and how it is protected under each applicable law. A foundational step in any privacy program is a data discovery and mapping exercise; but with provisions varying state by state, the necessity to perform this exercise becomes more apparent for US organizations in order to understand their obligations.
The complexities of US privacy compliance for data discovery and data mapping
The introduction of the aforementioned laws, coupled with the privacy issues raised by the coronavirus pandemic, has brought the need for understanding your data to the forefront of people’s minds. For example, several nations, including the US and the UK, introduced mandates requiring organizations to collect the vaccination status and/or results of recent coronavirus tests from employees. Such health data is typically regarded as sensitive personal information (SPI) and often this means it should be handled with special consideration. While some of these mandates have been withdrawn, they highlighted the privacy implications of processing sensitive personal information.
In the context of US state privacy laws, each state has a slightly different definition of SPI. To add to this, the requirements around the processing of SPI vary from state to state. The CPRA provides a right for consumers to limit the use and disclosure of SPI, however it does permit the processing of it under certain circumstances. When compared to the CPA, CDPA, and CTDPA, these laws deal with SPI by requiring consent for processing. The UCPA, on the other hand, does not require consent to process SPI, but does require the company to present a notice and an opportunity to opt out.
This is just one example of the complexities of juggling the compliance requirements of multiple US state privacy laws. And it highlights the need for organizations to perform a comprehensive data discovery and mapping exercise to centralize and categorize personal information to form the foundation of their privacy program. Once data is found and mapped, you can have a much better view of what that data is, where it lives, how it is classified, and what laws and policies apply to it.
Read the blog: How Data Discovery Enhances & Automates Your Data Map
Why is data discovery and data mapping important?
When it comes to discovering and mapping personal data that your organization holds, you must first consider the location and format of the data. Automated data discovery solutions can scan across cloud and on-prem data sources to discover structured data and unstructured data such as that found in email, PDFs, and images.
Delivering this data into a centralized data map helps give organizations a holistic view of their data. From there privacy, security, and governance teams can accurately classify data across diverse sources and evaluate the appropriate policies that apply under the CCPA, CPRA, CDPA, CPA, UCPA, and CTDPA as well as other applicable global privacy laws.
OneTrust data mapping automation enables organizations to unify and scale US privacy compliance efforts within a single code base that can continuously scan and monitor assets across structured and unstructured data and flag when new types of data appear in those systems. OneTrust also helps to catalog and classify all personal and sensitive personal information while tracking key attributes for regulation-specific compliance.
To see how OneTrust can help with your compliance with US state privacy laws or how it can help you with automated data discovery and data mapping request a free demo and speak to one of our experts today.