The impact of data privacy concerns reaches beyond regulatory compliance. We’ve recently seen earnings decline among companies like Facebook and Twitter due, in part, to privacy issues. As data privacy becomes a consumer expectation and new regulations reinforce privacy obligations, organizations will no longer be able to delay addressing data privacy. The General Data Protection Regulation (GDPR) has made a big splash and significantly changed the narrative around data privacy, however it’s not the only regulation organizations need to be monitoring.
California Consumer Privacy Act of 2018
The recently passed California Consumer Privacy Act of 2018 (CCPA) is a great example of how quickly the regulatory landscape is changing in the United States. The bill, which becomes effective January 1, 2020, is the strictest data privacy law in the United States. It was drafted and passed expediently, catching many businesses by surprise. This regulation extends rights such as transparency of data collection and processing, the right to be forgotten, requirements for privacy notices and opt-out, and right to equal service.
Consumers are becoming savvier about how their data is used by the companies they do business with. Each time a new regulation is passed, a breach is announced, or a privacy scandal hits the news consumers question what their trusted brands are doing with the data they have shared.
A Strategic Approach to Privacy
This is the perfect time for organizations to focus on data privacy beyond compliance. If we think about data privacy as a customer experience issue, rather than a compliance issue, we can harness the opportunity to foster consumer trust and create a competitive advantage. Moreover, think about how your brand affects the reputation of the brands with which you partner. As your brand garners more and more consumer trust, it has a ripple effect on the brands that are associated with your brand. The reverse is also true. One consideration of a formal privacy program is management of the privacy issues and risk within your supply chain.
Taking a strategic approach to data privacy goes beyond technology and applications. It touches on aspects of your whole organization. Personal data could be anywhere and everywhere: Customer Service, Marketing, Supply Chain, Human Resources, Accounting, Legal, Information Security, etc. So where do you start?
Establish a governance model.
Ensure accountability for data governance and data privacy obligations by establishing a Privacy Officer and developing an operating model to support the data privacy program. The Privacy Officer should have relevant training and qualifications to oversee the privacy program and ensure data protection/privacy obligations are met by the organization. The reporting structure should be at a high enough level that the privacy program receives sufficient support from executive leadership.Depending on the size and complexity of your organization, consider embedding Privacy Champions throughout the organization. Privacy Champions should be trained in privacy concepts relevant to their role and in frequent contact with the Privacy Office. They can act as the first line of contact for privacy inquiries and questions for their department.
Define and classify data.
Ensure that the definition of personally identifiable information (PII) includes appropriate elements. If definitions are incomplete or inaccurate, your organization may have trouble identifying personal data. Many regulations have expanded the definition of PII beyond what businesses have become accustomed to (HIPAA and PCI definitions). For example, GDPR includes IP addresses, cookie strings, phone number, and location data in the definition of PII. Also consider the combinations of data that could indirectly identify the individual subject of that data. For example: combination of race, gender, date of birth, zip code, or other descriptors.
Understand your data flows.
Understanding how your organization uses, stores, and shares PII will inform the broader data privacy program and assist you with identifying where privacy must be built into business processes. It will also be the basis for creating privacy notices, establishing consent for processing, and many more aspects of your privacy program. You can use many methods to identify data repositories, data flows, and processing activities for PII, such as:
- Leveraging and building upon existing data flow documentation established for other initiatives such as PCI or HIPAA compliance.
- Conducting workshops with business owners to draft data flow diagrams.
- Utilizing data loss prevention technologies and data discovery technologies you already have.
Once you have conquered the three foundational steps, you can begin to build your privacy program. It can be a complex journey and may take several months or years to mature. When your privacy program is operating maturely, your organization will be well positioned to confidently respond to consumer, vendor, and regulatory inquiries.