BDO's PrivacyWatch - May 2nd, 2023

Caribbean Privacy

Privacy Governance

  • One of the biggest operational data privacy challenges organizations face is privacy program oversight. Traditionally, many organizations adopted the "three lines of defense" privacy framework. Under this model, a Privacy Officer (and others who manage the privacy program) sit in the second line. First-line workers implement many of the privacy activities within their business units, typically on a part-time basis. The third line, most often located in the organization's compliance department, is responsible for auditing the privacy program.
  • More recently, organizations are finding more operational success with enhanced full-time privacy expertise within their business units. More Chief Privacy Officers see themselves in hybrid roles, sitting in both the first and second lines, allowing them to manage their programs but also closely oversee program implementation and enhancement efforts. Organizations also see an advantage for third-line auditors to have more expertise with data privacy. Privacy professionals should continue to work with their leadership to organize privacy functions best aligned to their business operations, jurisdictions, and strategies, as well as continuously documenting and demonstrating value to maintain appropriate budgets and staffing.


Global Privacy

  • UK: ICO and NCSC advise against payment of ransoms to cybercriminals: The Information Commissioner's Office ('ICO') issued, on February 16 2023, a press release stating that it had sent a joint letter, along with the National Cyber Security Centre ('NCSC'), to the Law Society to remind the Society's members to refrain from advising clients to pay ransomware demands should they fall victim to cyberattacks. Some firms are paying ransoms with the mistaken expectation that this is the right thing to do and may gain benefit from it by way of reduced enforcement, and that they do not need to engage with the ICO as a regulator. The ICO highlighted that paying ransoms to cyber criminals to release locked data does not reduce the risk to individuals affected, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.
  • Netherlands: AP issues opinion on use of personal data for scientific research purposes: The Dutch data protection authority ('AP') issued an opinion on research into excess mortality. The AP concluded that that the provision of vaccination data to researchers is possible and lawful under the General Data Protection Regulation ('GDPR') and legal framework for Statistics Netherlands ('CBS'). The AP clarified that the GDPR does not apply to the processing of health data of deceased persons, but that data collected in the context of a treatment relationship will continue to be subject to professional secrecy and confidentiality after death.
  • Missouri: Senator Hawley introduces MATURE Act to enforce age restrictions on social media: The MATURE Act was introduced to the Missouri Legislature and the Committee on Commerce, Science, and Transportation on February 14 2023. This Act aims to enforce an age restriction of 16 years old for all social media platform users. The bill is specifically intended to prevent harm to children by social media companies. Furthermore, this bill proposes a ban on all social media accounts for users under 16, and a right to private action to hold social media companies accountable – effectively creating an audit process.
  • USA: Rule on access requests under the privacy act proposed by the SEC: The Securities and Exchange Commission ('SEC') announced, on February 14 2023, that it had proposed a rule that would revise the SEC's regulations under the Privacy Act of 1974. The SEC explained that the current rules provide procedures for submitting requests under the Privacy Act, including requests for access to and the amendment of records pertaining to the individual making the request, and that the revisions will clarify, update, and streamline the language of several procedural provisions.


Industry Updates

  • Marketing and Data Privacy: Marketers are balancing the desire for personalization with the need for data privacy by implementing "smarter” marketing practices. As customers, authorities, and technology firms grow more concerned about data protection, the marketing sector is changing. The recent introduction of the American Data Privacy and Protection Act (ADPPA) in the US represents a significant turning point in data privacy negotiations, with predictions estimating that 65% of the world's population will have access to contemporary privacy laws by 2023. Therefore, in today’s market, brands must adopt transparent data collection methods and consider consumer privacy in their marketing strategies.

Subscribe to receive the latest BDO News and Insights

Please fill out the following form to access the download.