How managed services can support and extend data privacy
Traditional privacy programs are starting to crack beneath the weight of growing online commerce and heavier regulation.
With the surge in online commerce, many businesses have an unprecedented volume of consumers and are quickly launching new products and sales channels. To comply with the latest privacy regulations, businesses need to inventory, protect and manage all of the data from those new consumers and channels – and more regulations are on the way.
“There’s no question that this landscape is rapidly changing beyond the current regulations. There are dozens of new privacy laws that exist or will exist in the next few years, and the US alone will likely have several more laws that come into force before a law is put in place federally.”
“There’s no question that this landscape is rapidly changing beyond the current regulations,” said Grant Thornton Financial Advisory Services Senior Manager Ariana Davis. “There are dozens of new privacy laws that exist or will exist in the next few years, and the US alone will likely have several more laws that come into force before a law is put in place federally.”
Businesses will likely need to accelerate their implementation of sustainable data privacy programs – if they can. “Many businesses find it challenging to manage their privacy programs in the context of this evolving regulatory landscape,” said Grant Thornton Financial Advisory Services Manager Fiona Ren. “Between building an individual rights management process, handling inquiries from consumers and employees, maintaining data inventory and monitoring privacy regulatory changes, there is a significant operational burden on organizations,” Davis said.
Corporate privacy, legal, IT and business teams have been forced to manage new privacy activities along with their existing work. These internal teams are struggling to respond to requests, maintain the data inventory and monitor the changing regulatory environment, with limited time to focus on privacy risks and other core business objectives. Ultimately, such organizations risk being out of compliance with new regulations. They can get tangled in a complex web of resource-draining privacy maintenance projects that are repeatedly triggered by product or regulatory changes from all directions.
Empower your plan
To achieve ongoing compliance and efficiency, businesses need a privacy program that continuously monitors privacy risks, improves its effectiveness and provides a seamless experience for consumers. Managed services can provide operational support and expertise to maintain a privacy program while also informing the organization about risks and issues that require input. This is especially helpful for businesses that lack privacy resources or expertise, or businesses that have a high or varying volume of privacy rights requests, impact assessments or inventory needs.
“Typically, there are two types of service engagement models for managed privacy services,” Ren said. “One is co-sourcing, where the managed service provider will provide privacy specialists to supplement the organization’s privacy operations using the organization’s existing processes and technology. The other is the turnkey model, where the service provider will provide resources and also bring in their own technology platforms with their proprietary methodology and processes tailored for the client.”
There are six specialized capabilities that managed services can provide or supplement to empower your privacy plan: privacy rights management, data inventory management, privacy impact assessment (PIA), privacy tool management, privacy regulation updates and privacy assurance.
1. Privacy rights management
Several privacy regulations stipulate that consumers have the right to access, change or delete their data. Businesses need to manage these rights and the associated requests without burdening limited or high-level staff. Businesses might also need to manage access rights and requests from vendors and other business partners. Request volume can vary throughout the year, significantly increasing during breaches, marketing campaigns or other activities that bring the company into the public spotlight.
Managed services can provide privacy specialists to manage, triage, coordinate fulfillment, respond to individuals and track requests. Then, businesses can review and approve communications and results from identity verifications and data retrievals, making decisions on request denials. “From an operational efficiency and accuracy perspective, managed services can provide a business with peace of mind when the future volume of privacy requests is unknown,” Ren said.
2. Data inventory management
You need to continually maintain, update and enhance your data inventory. An ongoing data inventory sets the foundation for your privacy program. “It’s really critical to know where your data is, but it’s a time-consuming process to inventory your data and map out data flows to understand exactly where and when it’s leaving your organization – and what the downstream obligations are for that data flow,” Davis said. Many businesses have paid the price for having outdated data inventories that led to unprotected data. “The majority of the regulatory fines we’re seeing are based around the breach. Knowing where the data resides will allow you to put increased controls in place and manage some of the downstream implications.”
3. Privacy impact assessment (PIA)
A PIA evaluates data protection risks and makes companies evaluate and document risk mitigation plans. PIAs are a leading practice, and many privacy regulations require that companies complete PIAs for higher risk processing activities and for new projects that pose risks to personal data. If your data and data protection risks continually change, this assessment is an ongoing activity.
Managed services can help run a PIA, evaluate risks, document responses, manage remediation tracking and provide regular updates. Then, businesses can receive regular status updates, reviewing and approving the risk evaluation and remediation activities. “Managed services will run DPIA processes from launch, documentation, validation, improvement, review to finish,” Ren said. “Afterward, companies often demonstrate enhanced compliance status, cost savings and improved stakeholder relationships.”
4. Privacy tool management
Many companies use privacy technology tools to support their privacy program. These tools take a significant burden off the privacy team and provide automation to streamline many privacy program activities. However, as the regulatory environment continues to change, so do the privacy tools. As a result, companies are forced to monitor tool updates and then to update configurations accordingly. Companies do not always understand the best way to leverage the solutions, and often find it challenging to get the answers that they are looking for from their technology vendors.
Managed services can help manage your tools, apply and test new updates and monitor the health of the technology platform. Managed services teams regularly work with privacy solutions in a variety of client environments and can provide unique insights regarding how to optimize the solution and maximize your ROI. This ongoing management can also help to identify when tools will require changes or reconfigurations to accommodate new changes in your products, distribution or sales channels.
5. Privacy regulation updates
Regulatory changes don’t come with a software update. Each business has to discern if and how it needs to update its tools and processes to stay in compliance. Sometimes, that requires a rare mix of legal and technical knowledge. Sometimes, it’s clear, but there’s a lot of work to make the change.
Managed services can track new and changing privacy laws, rationalizing them against the current framework so that businesses can review chances to enhance the privacy program for other changes in privacy landscape. “Many businesses realize that they don’t have the knowledge or expertise to adapt, enhance and scale their privacy programs in alignment with the GDPR, CTPA and many more up and coming privacy regulations,” Ren said.
6. Privacy assurance
Once your enterprise privacy program is established, it is time to think of future-proofing, maintaining and improving. A privacy assurance function can help organizations improve the accuracy and compliance of their data privacy, with less burden on internal auditors. But the function will require expertise and input about the organization's privacy operations and IT processes.
Managed services can provide expertise to develop and maintain a rationalized privacy controls framework, conducting quarterly privacy compliance testing and reporting to board members and internal auditors. “A robust and scalable privacy compliance framework serves as a source of truth so that the privacy program can support audit committee reporting and oversight. By investing in the privacy assurance function, organizations can quickly identify regulatory deltas and gaps to focus their improvements” Davis said.
“Managed services can provide organizations with expertise and operational support, while keeping management abreast of risks and issues that require their decisions.”
Plan your approach
Every business needs to understand its obligations to protect customer data. As those obligations become more significant and complex with new regulations and online commerce changes, businesses need to ensure that their data privacy programs adapt.
“Building a mature privacy program is going to require a level of commitment, resources and expertise,” Davis said. “Managed services can provide organizations with expertise and operational support, while keeping management abreast of risks and issues that require their decisions,” Ren said.
“It’s about finding that balance between the business needs, the benefits and the associated costs,” Davis said. The first step is to understand the obligations that your privacy program must fulfill. Then, you can consider if and how you should call upon managed services to empower a privacy plan that keeps you in compliance.
Our privacy and data protection insights