Originally published in NAVEX Global's Top 10 Risk & Compliance Trends for 2020 eBook.You can download the full eBook here.
The words “hodgepodge” and “patchwork” are overused in the world of risk and compliance, but they’re certainly appropriate for describing the myriad data privacy regulations popping up around the world.
In 2018, the world of data privacy was shaken by the enforcement of the EU’s General Data Protection Regulation (GDPR). In 2019, a subset of the world braced itself again for the California Consumer Privacy Act (CCPA). Together, these two regulations fueled most of the headlines for companies and consumers alike, and for good reason. They are expansive and prescriptive. However, the reality is they comprise only a small fraction of global data privacy legislation.
Cavalier data management no longer holds water. Organizations are expected to live and breathe 'privacy by design.'
As we enter the early 2020s, there will be more than 100 countries with data privacy legislation in place. Along with the international sprawl of privacy law, in the United States there are a number of similar-but-different state laws in the offing. All of this means that organizations managing data and operating across borders must be exceedingly vigilant in how they navigate the wide array of data privacy regulations.
In Data Privacy Law, Change Is the Only Constant
In 2020, “change” will define our existence as organizations operating in a world of heightened appreciation for an individual’s personally identifiable information (PII).
While more than 100 countries currently have data privacy legislation in place, that also means more than 40% of countries do not, though most likely will soon. In the United States, no federal standard is likely to emerge in the near future, meaning individual state-level laws will continue to proliferate. Outside of new laws, the application of existing data privacy law will continue to evolve with each enforcement action. For instance, an early 2019 enforcement action against Google taught us that transparency and specificity are required to obtain “informed consent” from consumers. This forced companies to take a look at how their own privacy statements and policies meet standards.
While GDPR compliance is a continuous journey that isn’t ending anytime soon, the most significant changes we will see will likely come from ripple effects from the recently launched CCPA. Under CCPA, California consumers may request:
- What personal information is being collected and why
- For personal information to be deleted
- To obtain information about onward disclosures and the “selling” of their personal information
- The categories of third parties with whom their data is shared, or from whom it was acquired
In many ways CCPA is more of the same from GDPR, with additional specificity around the methods provided to consumers for requesting their data. Here organizations in scope will need to provide consumers with “at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.” We can expect to see echoed requirements at a state and global level over the next couple years and beyond.
This state of constant change will create an environment where organizations will not only have to continually define and refine data privacy processes and procedures, but also define and refine organizational structures that process data, skillsets of individuals who manage data, and the relationship the company has with PII.
Steps for an Organization to Take
In short, effective data privacy will not come from a policy or procedure change, but a lifestyle change. Cavalier data management no longer holds water. Organizations are expected to live and breathe “privacy by design.”
Find & Develop Your Data Privacy People
With GDPR, hiring a data privacy officer was a key initiative for many organizations. Today, just two years later, DPOs are often assumed. Data privacy now needs to be embedded deeply and uniquely across the organization. This starts with the DPO integrating themselves into each data processing activity within the organization. Each team should have a privacy representative or champion who can effectively speak to the team’s data practices, usage and retention. These relationships are key; a DPO can tell you what the privacy requirements are, but they will need functional experts to help translate and apply the law across different use cases.
I expect we will also see a growing trend of data privacy titles being hired in departments like engineering, marketing and customer services. Privacy by design is best when those designing the programs and practices are not only functional experts but also data experts. Whether formally or informally, the data ambassadors you’ve identified throughout the organization and those specifically hired for privacy should come together to create a privacy committee. This committee should meet regularly, discuss internal and external evolutions, and be change agents who embed better data privacy across the organization.
Master the Full Life Cycle of PII
The real work in this new age of privacy law comes in the processing and fulfilling of data subject access requests. This challenge is going to be a continual hurdle for companies as we venture deeper into the era of heightened data privacy requirements. For this we need to become masters of the full life cycle of the PII our organizations touch.
Data mapping is key here and requires you to understand what data types you collect, where you store it, who processes it, where the access points are, and what your data retention practices are. Data handling practices should then be formalized throughout the organization by codifying data privacy best practices through updated privacy policies and data privacy compliance training designed to educate the critical personnel who collect, manage or process data within the organization
With your extended data privacy team developed and the full life cycle of PII properly managed, delivery on effective data privacy will become second nature for your organization.