Privacy Risk Management & Laws

Privacy Risk Management Tips

Jurisdictions outside the United States have privacy laws, which must be adhered to while conducting business, collecting data, or processing data in that jurisdiction. The more common international privacy laws are The EU’s Global Data Protection Regulation (GDPR), China Personal Information Protection Law (PIPL), Brazil Lei Gerai de Proteçao de Dados (LGPD), India Privacy Law (Information Technology Act), and Switzerland Privacy Law (Federal Act on Data Protection)

Below are the general principles across the various data privacy laws: 

  1. Identify if any privacy laws apply in the jurisdiction where business is being conducted. Such business can include research, data collection, and data processing.
  2. Know what data you are collecting, processing, and storing. This can include personally identifiable information (PII) about students, and research participants.
  3. Obtain valid consent before collecting any PII data and inform individuals of how their data will be used. Consent should be given freely, be specific, be informed, and unambiguous.
  4. Implement strong security measures such as encryption, secure networks, and data access controls to ensure any PII collected is stored securely and in compliance with privacy laws. See ITS WSU Cloud Acceptable Use Matrix for best options on data storage.
  5. Consider implementing role-based controls to limit data access to employees, individuals or entities who need it to perform their duties.
  6. Respect data subject rights and be prepared to respond to requests for access, deletion, or correction, and develop procedures for handling these requests effectively.
  7. Ensure third-party contracts address appropriate data protection provisions and comply with applicable laws if sharing PII.
  8. Undergo training about data privacy laws and best practices. Ensure that employees handling data understand their responsibilities for protecting PII.
  9. Develop procedures and incident response plans to account for instances of data breaches, or unauthorized access to PII.
  10. To learn more about the laws and better understand how they apply to and affect operations please consult with WSU’s Privacy Officer and/or the Attorney General’s Office. Sally Makamson, smakamson@wsu.edu.  

Please see ITS Data Security and User Responsibilities for more resources on protecting data, and Institutional Review Board (IRB) Human Research Protection Program (HRPPP) for research data security guidance. 

State and International Privacy Laws

The California Consumer Privacy Act (CCPA) is a state-level privacy law in California, United States, designed to enhance the privacy rights and consumer protection for residents of California. Enacted on January 1, 2020, the CCPA grants consumers greater control over their personal information held by businesses. Key provisions include the right to know what personal information is collected, the right to request the deletion of personal information, the right to opt-out of the sale of personal information, and the right to non-discrimination for exercising privacy rights. Covered businesses must provide clear and accessible privacy notices, implement reasonable security practices, and comply with consumer requests regarding their personal information.

For more information, please review the California Consumer Privacy Act

The General Data Protection Regulation (GDPR) is a comprehensive data protection and privacy regulation enacted by the European Union (EU). It came into effect on May 25, 2018, and is designed to empower individuals and enhance their control over their personal data. GDPR applies to businesses and organizations that process the personal data of EU residents, regardless of the location of the entity. Key principles of GDPR include obtaining explicit consent for data processing, ensuring transparent and lawful processing of data, providing individuals with the right to access and rectify their data, implementing data protection by design and by default, and imposing strict measures for data breach notifications.

For more information, please review the General Data Protection Regulation.

The PIPL law is the data privacy law in China targeted at personal information protection and addressing the problems with personal data leakage. It became effective November 1, 2021. This law is applicable to organizations and individuals who process personally identifiable information (PII) in China, but also those who process data of China citizens’ PII outside of China. The PIPL provides direction on many topics, including rules for the processing of personal and sensitive information including legal basis and disclosure requirements. The PIPL also introduces rules for personal information protection processors, as well as data subject rights, and outlines requirements regarding international data transfers to third parties.

For more information, please visit: https://personalinformationprotectionlaw.com

The Brazilian General Data Protection Law (Lei Geral de Protecao de Dados Pessoais or LGPD) is a law that was passed by the National Congress of Brazil on August 14, 2018 and came into effect on August 15, 2020. 

The LGPD has a legal framework for the use of personal data of individuals in Brazil. It is similar to the European Union’s General Data Protection Regulation (GDPR) and like GDPR, the LGPD has far reaching consequences for data processing activities in and outside of Brazil.

The LGPD provides data subjects with nine rights, defines what constitutes personal data and creates ten legal bases for lawful processing of personal data.

For more information, please visit: https://lgpd-brazil.info

India’s privacy law, known as the Digital Personal Data Protection (DPDP), aims to safeguard individuals’ personal data and regulate its processing. The bill requires entities handling personal data to adhere to specific principles, such as data minimization, purpose limitation, and accountability. It establishes a Data Protection Authority (DPA) to oversee compliance and enforce regulations. The DPDP provides individuals with rights regarding their data, including the right to access, rectify, and erase personal information. Additionally, it mandates data localization, requiring certain categories of sensitive data to be stored within India. The bill has an effective date of August 15, 2022.

Switzerland’s privacy law, governed primarily by the Federal Act on Data Protection (FADP), is designed to safeguard individuals’ personal data. Overall, the law aims to balance individuals’ privacy rights with the legitimate interests of businesses and organizations handling personal data.

The FADP has been in effect since 1993. However, it has undergone revisions to align with international standards, including the European Union’s General Data Protection Regulation (GDPR). The most recent revision, which came into force on March 1, 2022, strengthened data protection measures and enhanced individuals’ rights over their personal data.

please visit: https://www.kmu.admin.ch/kmu/en/home/facts-and-trends/digitization/data-protection/new-federal-act-on-data-protection-nfadp.html

How does this apply to you?

Considerations of compliance occurs when data from these areas is collected, used, or stored for use at Washington State University.

Examples:  

  • A researcher is collecting information from subjects in France for a sleep study.
  • A business unit is considering purchasing a data storage solution and the servers that store the data are located in Canada.

If you are gathering, storing, or using data from other countries, please consult with our office.