Data privacy concerns continue to grow, driven significantly by the continuing digitalization of our world — and from these concerns come the regulations.
Until recently, data privacy laws were largely location- and industry-specific, with U.S. organizations focused on health care/life sciences subject to HIPPA, financial services organizations subject to GLBA, and so on. Now, privacy protections are being extended beyond historically regulated sectors, reaching across state and even national borders to establish new individual rights and businesses obligations, regardless of industry. With both existing and new rules to follow, organizations need a coordinated privacy program to effectively respond to current privacy regulations and to anticipate those on the horizon.
Change is here; more is coming
Two compliance requirements — one international and one domestic — are setting the tone for privacy management across the nation and the world. Because both are acting as templates of sorts for others, structuring a privacy program to address these rules is a wise move toward compliance now and in the future.
The European Union’s General Data Protection Regulation (GDPR
) has been effective since mid-2018. It is already having widespread impact, with organizations worldwide subject to the rules and many adopting its principles into their own regulations. ”GDPR was the biggest change to EU data privacy in 20 years,” said Orus Dearman, managing director of Grant Thornton’s Cyber Risk Services practice and member of the Information Technology Industry’s Privacy Committee. “It’s seen as a gold standard.”
The California Consumer Privacy Act (CCPA
) is a sweeping bill that aims to strengthen individual privacy rights and data protection; it goes into effect on Jan. 1, 2020, with enforcement delayed until July. Under the CCPA, California residents will have specific rights in regards to their personal information; the protections must be observed by any organization doing business from within or outside of the state if they meet certain criteria. With growing concern about other states passing similar privacy laws, resulting in a complex patchwork of regulations and customer rights, some see a federal privacy law not far over the horizon.
Get ready, advised Dearman: “Organizations that have had to comply with GDPR are better positioned for CCPA because of the similar requirements. It will be a heavy lift for those that do not already have a privacy function in place.”
Stakeholders across the entire organization — including business development, HR and customer service — should expect to be involved. A new product or service must be developed with the privacy framework in mind.
Cyber Risk Services
A privacy program must now be holistic
A holistic data privacy program is a plan for incorporating current and incoming changes into actionable and operationalized business processes. But why must it be holistic? Why not respond to new privacy laws as business opportunities allow on a case-by-case basis?
The reason is that at the pace regulations are developing, an ad hoc approach results in a slow response, exposing the organization to the risk of noncompliance. As always, damages from data privacy violations can be severe financially and reputationally; with the breadth of CCPA, GDPR and anticipated new regulations, the impacts could be staggering. Ad hoc responses are also more resource intensive and expensive than a holistic data privacy program; once a holistic program is in place, there is no need to reinvent the wheel with each new regulation or amendment.
The compliance mind-set itself must also be holistic. “Privacy compliance is now much more than a legal or IT project,” Dearman said. “Stakeholders across the entire organization — including business development, HR and customer service — should expect to be involved. A new product or service must be developed with the privacy framework in mind rather than waiting until it’s done and asking the privacy officer to rubber-stamp it.”
Assess, build, automate and monitor the privacy program
A representative privacy committee or task force can be the key to coordinating enterprise-wide knowledge. The designated body must oversee the four action steps to create and maintain the privacy program.
To help establish appropriate baseline policies and infrastructure, and avoid a scramble as individual regulations become relevant, begin by assessing the organization’s collected data to understand scope and applicability. This initial assessment provides business benefits, as well; the organization gains a better understanding of the kind of data being collected, how that data is used and protected, what data is accessible to third parties, which processes present higher risks, and how business process and activity information are linked to pertinent system and vendor information.
The data inventory is the foundation for other privacy program activities. Organizations should prioritize data inventory activities, starting with structured data, and follow up by reviewing and flagging unstructured data for retention or deletion.
In building a privacy program, focusing on three key areas can drive action and reduce exposure:
Individual rights management
Management of individual data privacy rights is core to both CCPA and GDPR, including the right to access data an organization holds about individuals and the right to have certain data deleted. Organizations must be prepared to receive, triage and respond to inquiries and complaints. Regulations set a time period for response to requests, in some cases with penalties for not responding in a timely manner.
Consent and preference tracking
Customers want to know their preferences are being honored; if they feel this is not done, they are likely to escalate issues. Being positioned to capture consent and track preference requests helps to reduce the likelihood of issues being escalated and builds customer trust.
Breach liability reduction
Reducing exposure can be done through tactical measures such as encryption and de-identifying data. Data should be maintained only for its purpose, despite the availability of inexpensive storage, and in line with any applicable data retention requirements, which can vary for the same data by country, locality and industry.
Like GDPR, CCPA will not be just a “one-time exercise.” Automating helps to sustain the program overtime in a more efficient way. Automation can help streamline a wide range of privacy management tasks, including:
- Individual rights
- Consent and preferences
- Breach liability and incidents
- Data retention and disposal
- Data inventories and mapping
- Third-party access
Monitoring compliance is an ongoing activity that is necessary if companies plan on sustaining privacy programs long term. Three key attributes of a strong monitoring program include:
Analyze key performance indicators regularly to identify gaps in the data inventory, open or overdue requests, timing of responses to requests, and status of other privacy initiatives
Reviewing the program annually to confirm all policies and procedures are up to date, data inventories are accurate and training of employees is current
Ensuring an annual internal or external independent audit is conducted to inspect controls and verify compliance with pertinent regulations
Incorporating these four steps into a holistic privacy program will help ensure that the program addresses escalating data privacy regulations and helps build customer trust in your organization through demonstration of care for their privacy.
Managing Director, Cyber Risk Services; Data Privacy
Member, Information Technology Industry Privacy Committee
+1 416 318 2240
Principal, Cyber Risk Services, National Privacy Leader
+1 312 602 8940