US Regulators Lift the Curtain on Data Practices With Assessment, Reporting and Audit Requirements

March 2024
Region: Americas

Following the lead of Europe, four US states currently require businesses to conduct and document assessments to evaluate and mitigate risks in connection with new and ongoing personal data processing activities, and at least eight additional states will do so between now and the end of 2025. California, which applies its requirements beyond traditional consumers to human resources and business-to-business contexts, requires regulatory filings of assessments (which may end up being in abridged form). On March 8, draft California assessment regulations were moved forward toward preparation for public comment, as detailed here. All of the states give regulators the ability to inspect assessments, which must be retained for that purpose. These new obligations will raise the curtain on companies’ info governance practices for regulators, and thereby necessitate robust data protection programs that are more than “window dressing.” Regulators have been clear about their plans to move to more aggressive enforcement of new state privacy laws, as discussed here and here, and assessments will give them a roadmap to do so.

In a recent article published by American Lawyer Media’s Cybersecurity Law & Policy, lawyers from our firm and privacy pros from Ankura Consulting break down what these new laws require and when and how to conduct and document assessments, including how to do so more effectively and efficiently using software platforms. Read the full insight above.

In addition, our firm has developed a set of data practice assessment templates, corresponding guidance materials for clients and in association with Ankura developed an online assessment integrated with a leading privacy management software platform.

Contact us for more information global data processing obligations and how our tools can help.