This two-part series takes a detailed look at what’s ahead this year in data privacy, including trends around the world and what next steps should be taken to stay ahead of the ever-changing privacy landscape. Yesterday, we looked at global trends in data privacy legislation.
Transparency and trust are no longer just nice-to-have in business
As data compromises shook consumer and business confidence, 2019 was a tipping point where the world’s laser focus on cybersecurity began to converge with a growing emphasis on data privacy.
Companies have started to recognize that GDPR and CCPA are more than a “check the box” for auditors and regulators. Instead, we are seeing a shift in culture where organizations are leveraging these stringent regulations as an opportunity to gain competitive advantage in providing consumers control over their data and building consumer trust – aligning to a strategic imperative in a time when global cybercrime is at its highest. This is also a smart business strategy as trust takes years to build but only an instant to destroy.
There is a compliance opportunity to be tapped by addressing data protection through a reevaluation of a company’s data privacy culture and strengthening overall operating model and strategy. Fostering a data privacy culture requires driving company-wide awareness, educating employees that handle consumer data and actively engaging executive leadership. This also requires companies to acknowledge there is a need to continuously revive and evolve data privacy culture within a rapidly changing digital ecosystem.
Instilling a data privacy culture can only happen through top-down leadership support. This will require creating and maintaining the right “tone at the top” and investing in an enterprise-wide data privacy program awareness. Organizations should avoid viewing privacy regulations as simply an exercise for regulators and auditors. Instead, by changing day-to-day behaviors and driving a cultural change, leaders in the organization can set an example and motivate employees across the organization to play a key role in data privacy. This creates a culture where every employee has a responsibility to manage data privacy risks, resulting in compliance with laws, regulations and data privacy policies.
All employees that handle personal data or have access to data should be, at a minimum, trained annually on maintaining privacy hygiene. At the very core, any organization that handles personal data has a high probability of experiencing a data breach.
Engaging Executive Leadership
With increasing need in how personal information should be protected, the need to elevate the role of privacy leaders and their proactive cross-functional engagement is imperative. In the post-GDPR era, many organizations have elevated privacy to the C-Level and many have appointed a Chief Privacy Officer (CPO). The CPO must be knowledgeable about privacy laws, scope of data security with ability to instill data privacy culture amongst other C-level skills.
Consumers are exercising their data protection rights
At the core of any data privacy regulation — be it the GDPR, CCPA or those awaiting approvals in the legislative line — is the right of individuals to know and access their personal data. This is one of the most important principles of any data protection law.
Since the advent of the GDPR, this has also been one of the most debated questions at the executive leadership level – to what extent will consumers exercise the regulation rights, what information should we provide and are we prepared to facilitate those rights. Obviously, from the organization’s perspective it is also a matter of cost, scale and resources in preparing and implementing solutions to fulfill consumer obligations. Solutions involve keeping a thorough inventory of all personal data processing activities that collect, use, store or transfer personal information. This allows companies to understand where the personal information can be located to fulfill consumer rights requests. In addition to data inventory, there will be a need to develop workflows and online forms to guide through various stages of consumer rights process. Depending on the scale and complexity of the organization, this process can be either manual or automated. There are number of tools in the market to consider when it comes to building data inventory and supporting workflows. However, solutions alone do not solve the fulfillment of consumer rights. There needs to be appropriate technical and organization measures in place, which take proper planning, time and investment.
In a survey conducted by the ICO shortly after the GDPR enactment, a whopping 82% of EU consumers indicated they would take advantage of their rights, including the right to know what personal data organizations have about them, to see those data, to restrict processing under the conditions the GDPR foresees and/or to erase data, a.k.a. the right to erasure.
Most organizations operating globally at scale and who have organically grown their technology footprint are not able to know and trace where the data resides, let alone know where the sensitive data resides. The GDPR and other emerging regulations are providing an opportunity to streamline data process and sharing habits of the company. A methodical approach that is the right fit-for-scale of the operation is necessary to solve data subject access rights.
A few best practices to consider are:
- Compliance at the point of collection. Quite often overlooked, most regulations will require disclosure of the legal purpose of data collected before the collection begins and will seek explicit permission to process, along with the rights consumers have over their data.
- Maintaining data process flow diagrams. Knowing where the data is and maintaining process flow diagrams across data lineage is key to building the required workflow for effectively responding to consumer requests. Complex workflow can further analyzed for possible automation.
- Validating user. Before responding to consumer requests, it is required by law in some instances or as best practice to adequately prove the identity of user requesting the information.
- Tracking and Auditability. Keeping a good log of requests and response time across key junctures of workflow will be necessary to evaluate the overall effectiveness of the process, auditability record for regulators and to ensure adherence of response time stipulated by the law.
Data privacy breach law trends that should be on everyone’s radar
As the regulatory landscape continues to evolve, the big takeaway for 2020 is that being proactive and having a corporate data privacy strategy is important to mitigate data privacy breach, due to the reasons stated below.
In the first half of 2019, thirteen states amended their breach notification laws, leading to tighter restrictions and shorter timeframe for incident responses. In most studies and surveys conducted in 2019 by the Ponemon, IBM Data Privacy and the ICO, the common theme has been that feel confident in their ability to comply with evolving privacy laws.
Beyond ever-evolving data breach laws and data privacy regulations, we expect continued expanded definition of what constitutes “personal information.” As the digital world continues to make its way into our personal and business lives, organizations will need to stay sharp and on top of what makes up sensitive personal information collected through AI, biometrics, RPA, digital devices and big data analytics and how they fit into compliance across multitude of regulations.
In closing, data privacy in 2020 and beyond will continue to expand and the scope of requirements will add to the momentum of privacy law evolutions globally and domestically. Organizations should prepare to scale and operationalize for these changes through a well-thought through data privacy strategy and capability.