If you thought electrical contractors were immune to the ongoing proliferation of data and information privacy laws, think again. In several different ways, ECs may be on the hook for personal information obtained during client projects and even data obtained on employees. It’s something that needs to be on the radar, if it isn’t already.
There has been a definite spike in new legislation introduced since the beginning of 2019 targeting data privacy. That trend will continue as consumers raise concerns about what and how personal information is collected and stored. These laws, designed to protect customers and employees, mean electrical contractors need to pay closer attention to who they do business with (i.e., global companies) and the way they treat, use and archive personal data. Recent laws are designed to give consumers more control over how their data is collected and requires companies to justify what they do with this information. It also gives companies guidelines on what they can and cannot do with personal data and requires them to be clearer about their policies and practices.
As digital technology, open systems and the internet of things continues to grow, there is a proliferation of connected systems processes, cities and people—and mounting concern over information collection, storage and archiving. According to the Security Industry Association’s 2019 Security Megatrends Study, data privacy is one of the top 10 influencing factors to have sweeping impact on almost all businesses within the industry. In addition, according a Harris Poll and Finn Partners survey, Social ROI Index, 65 percent of Americans believe data privacy is the number one issue for companies to address and most pressing to those surveyed.
GDPR and CCPA get the ball rolling
That is certainly evident as the first few months of 2019 saw numerous states introduce privacy bills, following on the heels of the European Union’s (EU) General Data Protection Regulation (GDPR) enacted in May 2018 and the California Consumer Privacy Act (CCPA) signed into law in June 2018.
The EU created GDPR to unify data privacy laws and mandates businesses remain transparent about customer’s personal information. This regulation also can affect North American-based companies handling EU information and data—and noncompliance can lead to hefty fines. Much of the language in the emerging bills and legislation closely follows the GDPR.
GDPR has a broad focus and includes personal data in many different parts of an organization, including IT in addition to electronic security, surveillance and physical access control. Video in which a person can be identified is considered personal data and subject to GDPR guidelines. Activities tracked by an access control system, as well as licensing plate numbers recorded by license plate recognition (LPR) technology also come under the ruling. Under its regulations—and because cybersecurity was a main driver of GDPR—when a data breach has been detected, the company is required to notify users within 72 hours.
While GDPR is EU legislation, it impacts the rest of the world, including U.S.-based businesses. Under GDPR, companies (including security contracting firms) need to follow the law’s guidelines when collecting or using personal data, including names, contact information and images taken on security cameras.
In the example of CCPA, slated to go into effect on Jan. 1, 2020, the consumer has the right to request a business that collects personal information to disclose the categories and specific pieces of personal information obtained. CCPA also includes minimal levels of security required for companies to protect personal information and what information on employees can be retained and for how long during/after employment.
While the CCPA has high thresholds for which firms are covered—those with 50,000 records or $25 million in revenues or primarily in the business of selling personal information—it could include a company’s clients as well.
Some of the proposals mandate consumers must be allowed to access information about themselves, opt out of disclosures to third parties and, in certain circumstances, demand deletion of their personal data.
There is also the looming concept of the right to be forgotten. This concept and practice in the EU and Argentina essentially permits individuals to have information, photos and videos deleted so they can’t be found by internet search engine records.
As a result of all of this transparency, data privacy and information security has become a concern for every company that had access to and keeps customer data, site information, surveillance footage of others—and that includes electrical contractors doing low-voltage, security and integrated systems. There may be an after-effect on video storage and archiving and how to permanently delete recorded video.
In the grand scheme of things, it’s a wonderful world we live in, now guided by digital technology, networking, transparency and open systems and protocols. This new reality, however, can thrust electrical contractors into the latest data privacy issue challenges with customers and employees, so it’s important to stay ahead of new and emerging regulations and even consult with a privacy expert for circumstances that seem unclear.