MNCPA is here for you.
Let us know how we can help.

Emerging trends in data governance and privacy

And the increased risk in a work-from-home world

Thomas G. Stephens, Jr., CPA, CITP, CGMA | April 2021 Footnote

Editor's note: Updated March 31, 2021

Data governance and privacy issues have escalated in recent years, and that trend shows no signs of abating. This trend is further compounded by a large percentage of the professional workforce officing out of their homes and elsewhere, potentially putting data at risk without the usual safeguards of the office.

With that in mind, business professionals have an absolute need to understand critical emerging trends in data governance and privacy to maintain all impacted parties’ confidence and avoid potentially costly fines and penalties. This article explores these issues and provides a path forward for ensuring data governance and privacy.

Two critical pieces of legislation

Although the issue of data governance and privacy has been gaining momentum for years, two relatively new pieces of legislation vaulted this topic to one of the most important challenges facing businesses of all sizes. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) forever changed how organizations face data governance and privacy issues.

Summarizing the General Data Protection Act

Member countries of the European Union passed GDPR in 2016, and the law became effective in 2018. Although it originated in Europe, GDPR is a “long-arm statute” designed to protect EU countries’ citizens. Therefore, it potentially applies to businesses worldwide if they have customers or clients in the EU, regardless of whether they have assets, employees or operations in the EU.

Perhaps the most crucial aspect of GDPR is that the law establishes six specific instances in which an organization can process personal data about a covered subject. These six instances include:
  1. The data subject provides unambiguous consent.
  2. Processing is necessary to enter into a contract.
  3. The company needs to process the data to comply with a legal obligation.
  4. You must process data to save someone’s life.
  5. Processing is necessary to perform a task in the public interest.
  6. You have a legitimate interest — that is otherwise not illegal — to process the data.
Failure to comply with GDPR can lead to fines of up to 20 million Euros (approximately $24 million), or 4% of a company’s global revenues, whichever is higher.

For more general information on GDPR, visit

What does the California Consumer Privacy Act require?

Similar in some respects — but quite different in others — California lawmakers passed CCPA in 2018, and it went into effect Jan. 1, 2020. Like GDPR, this legislation is a long-arm statute designed to protect individuals residing in California. Thus, even if a business has no assets or operations in California, it can still be subject to CCPA.

Specifically, CCPA established four new privacy rights for California consumers.
  1. Consumers have the right to know what information a business collects about them.
  2. Consumers have the right to demand a company delete the data the company has on file about them.
  3. Regarding the sale of personal information, consumers can demand that businesses not sell their personal information to other organizations.
  4. Businesses cannot discriminate against consumers if they choose to exercise their rights under CCPA.
CCPA does provide for some limited exceptions to smaller businesses, including those with less than $25 million in annual revenues.

Fines for not complying with CCPA can reach $2,500 for each violation and up to $7,500 per violation for each intentional act. Further, individuals can bring civil actions against businesses that do not comply with the law’s provisions.

You can access more information on CCPA at

Key takeaways and trends

GDPR and CCPA certainly are trailblazing pieces of legislation. One critical takeaway of these laws is their long-arm statute characteristics. As a result, your business can be subject to these types of regulations even if you do not have assets or operations in those states. Merely collecting information about people who visit your website can trigger a compliance issue. Clearly, no matter where your business physically resides, you must begin to identify where your customers are and identify laws in those states that potentially impact your organization.

Second, recognize that these two acts are not the only laws potentially affecting businesses. In addition to some of the “legacy” regulations that were in effect before GDPR or CCPA — for example, the CAN-SPAM Act (2003) and the Financial Services Modernization Act (1999) — at least 15 states, including Minnesota, introduced similar laws in the aftermath of CCPA, and at least 12 states enacted such laws. Accordingly, recognize this topic is not a static one. Instead, it continues to evolve rapidly, owing to the growing demand from individuals for businesses to collect and process their personal information safely and responsibly. Because of this fact, you should expect more new privacy and data governance laws and regulations to appear in the coming years.

Third, to identify where your organization might have risk in the areas of data governance and privacy, you should immediately begin conducting an “inventory” of all the individually identifiable personal data your company has on file. This assessment should include employees, customers, vendors and all other parties. Further, this process should address the data maintained in databases such as those related to your accounting, ERP and CRM applications. It must also include the data stored in “informal” environments such as spreadsheets and email contact lists maintained by individual team members. Remember, the laws do not differentiate between “formal” and “informal” data and, therefore, your organization should not either. This data inventory will help you understand where your data governance risk lies and serve as the foundation for governance activities.

Finally, in a pandemic/post-pandemic environment, consider the potential implications of remote work settings and data governance and privacy. In these environments, data often becomes decentralized and stored on team members’ local computers instead of corporate servers. If team members do not exercise appropriate security practices, like using a VPN, making sure routers are updated and properly destroying hard copies of sensitive information, this data is at greater risk of compromise and potential misuse. The concept of “data sprawl” is definitely alive and well!

Diligence is key

Data governance and privacy issues have been building for years. However, GDPR and CCPA brought this topic to the forefront of emerging business issues. Looking ahead, now is the time to plan for how your organization will comply. Begin by understanding the long-arm nature of these laws and continually identifying which emerging laws might affect your business.

Additionally, create a complete inventory of all data your organization maintains about individuals so that you can begin preparing appropriate governance strategies. And, as much as we want to put the pandemic behind us, do not ignore the potential for data sprawl in remote work settings and the associated risks. Remember, if your organization is subject to these laws, complying is not optional, and failing to comply could jeopardize your organization’s future.

Tommy Stephens is one of the shareholders of K2 Enterprises. At K2, Tommy focuses on creating and delivering content and is responsible for many firm management and marketing functions. You may reach him at, and you may learn more about K2 Enterprises at

K2 technology courses coming up

MNCPA members: Register by Friday, April 23 for
early bird savings!

Visit for details and registration.

K2’s Microsoft Teams (Virtual)
May 10 | 8:30 a.m.–noon | 4 CPE
K2’s Mastering Advanced Excel Functions (Virtual)
May 10 | 1–4:30 p.m. | 4 CPE
K2’s Working Remotely: The New Normal (Virtual)
May 11 | 8:30 a.m.–noon | 4 CPE
K2’s Implementing Internal Controls in QuickBooks Environments (Virtual)
May 11 | 1–4:30 p.m. | 4 CPE
K2’s Advanced Excel (Virtual)
May 12 | 8:30 a.m.–4 p.m. | 8 CPE

PLUS: Attend this K2-led conference for more security and productivity tips and tricks. Register early to save!
Technology Conference (Virtual)
June 3–4 | 16 CPE
Learn more at