Why and How Shred America is Responding to New State Privacy Regulations
Shred America’s clients are rightfully focused on their core competencies. That’s how it's supposed to be. All organizations should be.
Our focus at Shred America is on providing state-of-the-art, compliant, secure data destruction services, which, from our point of view, includes staying on top of relevant, changing regulatory requirements. Not only is this integral to our ability to provide compliant services, but it also means our clients don’t have to worry about it. When it comes to the secure disposal of sensitive information and regulatory compliance, it is our job to keep our clients informed, not the other way around.
Almost overnight, as regulations go, nineteen states have enacted new data protection and privacy regulations that grant individuals (data subjects) control over their personal information and impose a number of new obligations on the businesses to whom they have entrusted it. This trend has such momentum that we expect every state to follow suit in short order.
Our first response to any new data-related regulation is to evaluate its impact on our compliance and how we interact with our clients. More broadly, we also look to how it impacts our clients’ overall compliance. This latter consideration extends beyond data destruction and allows us to advise clients more generally to keep them on the right side of things. Of course, this is only possible because Shred America closely tracks regulatory changes and has the acumen and credentials to meaningfully conduct such evaluations and provide such advice.
For Shred America, the response to new state regulations required that we modify our public-facing privacy policy and our operational (processing) policies to acknowledge and cooperate with clients’ new data subject rights obligations. Secondly, it required that we execute the Data Processing Agreement (DPA) with all our affected (state-specific) subcontractors. The DPA, which ensures processors assistance in providing data subject rights, is a specific new requirement (not unlike HIPAA’s business association agreement).
For our clients and prospects, depending on the states in which they operate, their size, and the nature of their business, Shred America’s is actively offering tools, such as a sample DPA, which is now required of all their data processors, and is offering to answer any questions and help them determine how to prepare for all their new obligations and the fulfillment of new data subject rights.
Is this above and beyond our duty to our clients? Clearly, we don’t think so. We believe our clients and prospects should expect no less.
Contact Shred America today. We’d love to answer your questions and explain how we can help.
________
New State-Level Privacy Regulations
The California Consumer Privacy Act, as amended by the California Privacy Rights Act
Colorado Privacy Act
Connecticut Data Privacy Act
Delaware Personal Data Privacy Act
The Indiana Consumer Data Protection Act
Iowa Consumer Data Protection Act
The Kentucky Consumer Data Protection Act
Maryland Online Data Privacy Act
Minnesota Consumer Data Privacy Act
Montana Consumer Data Privacy Act
Nebraska Data Privacy Act
New Hampshire Senate Bill 255
New Jersey Senate Bill 332
Oregon Consumer Privacy Act
Rhode Island Data Transparency and Privacy Protection Act
Tennessee Information Protection Act
Texas Data Privacy and Security Act
Utah Consumer Privacy Act
Virginia Consumer Data Protection Act