The Irish High Court, Ireland's data privacy watchdog, has won a legal fight over Facebook's data flows between the EU and the US. When the EU-US Privacy Shield was ruled insufficient in protecting the privacy of EU data subjects last year, many companies were left in an uncomfortable state of limbo waiting. Any organization moving data about EU residents from the EU to the US has been in the dark on whether they were still in compliance.

This year has already seen over 100 GDPR non-compliance decisions. Mostly limited to regional companies, but a few have made larger news. The latest company poised to be fined is Disqus. Disqus is a commenting platform that companies can embed in their sites or applications to allow visitors to leave comments on individual articles or pages. Norway's data protection authority has notified Disqus that they intend to issue a non-compliance fine of NOK 250,000,000 (about EUR 2,500,000).

Data breaches are big news. They come with a major hit to the trust customers have with a business, and even parts of the world that don't have data privacy laws will often have some form of data breach law. It might be surprising though, for those focused on GDPR, that data breaches don't account for the greatest number, and greatest monetary value, of GDPR fines.

Data privacy regulation has made great steps toward protecting the privacy of people using web products, but it has come with user experience friction. Consent and disclosure banners are a solution for compliance, but they are not elegant. Browser makers, the W3C, and a group of participating organizations are working to fix that. The first step is a proposal called Global Privacy Control (GPC).

Working toward GDPR compliance means taking inventory on the data you collect and process. You've mapped your data, have a catalog of impact assessments, but now you need a way to present it in a way that regulators can look over. As far as the general data protection regulation (GDPR) is concerned, every piece of data processing you do needs a record, and those records are stored in a record of processing activities (ROPA). Regulators use a ROPA to get a full picture of your data processing.

Data protection impact assessments (DPIA), sometimes referred to as a Privacy Impact Assessment (PIA), are a tool used to describe how you intend to process and protect the personal information(PI, PII, etc) of individuals. Many forms of regulation including the GDPR and some compliance standards will require a DPIA depending on the risk levels associated with the data you are processing.

As builders of software we like to talk about user-centered design. We put ourselves in the mindset of the person using our app, service, or product. Successful user-driven companies bake this process into every part of their software lifecycle. It doesn’t stop at the initial research. Every decision is paired with the question: What about the user? The same approach can be taken when building with privacy in mind. The notion of Privacy By Design (PbD) does that.

Mapping and cataloging personal information collected from users is time-consuming. It is error-prone, and relies on hunting down information from multiple departments. For many teams, creating an accurate data flow map will be the hardest part of completing GDPR Article 35's data privacy impact assessment (DPIA) or any privacy impact assessment (PIA). Even for smaller businesses with limited departments and fewer software offerings, determining how data exists and how it moves can be a challenge.

In the fall of 2020, voters in California approved the California Privacy Rights Act (CPRA). Touted as California Consumer Protection Act (CCPA) 2.0, the CPRA is more an addendum and expansion of CCPA rather than an entirely new law. Think of it as an update that fixes unclear parts of the previous law and adds new systems to better handle the existence of the law itself. As there are a few “breaking changes”, the 2.0 moniker is pretty apt for those in the software world.

The General Data Protection Regulation (GDPR) set a huge precedent in modern digital privacy regulation. We've seen regions throughout the world adopt similar data protection laws in the time since its inception, and the financial liabilities are only part of the story. Customers and users of software products are now savvier than ever when it comes to understanding the importance of data privacy rights.