Imagine you’ve been tasked with riding a unicycle across a tightrope. It sounds difficult, right?
But guess what. You have to do it while juggling three tennis balls and balancing a stack of plates on your head.
It’s hard to imagine keeping the balls, plates, and you, from plummeting to the ground in short order (unless you’ve just left the circus for your current job).
Data privacy laws can drum up the same feelings in many people. Trying to keep up with changing legislation and the evolving expectations of customers often feel like a juggling act.
We want to help you navigate this challenging landscape. If you’ve already fallen, we can be your safety net. When you follow the strategies we’ll outline here, you’ll make it safely across the wire.
The Current Data Privacy Landscape
What do the following companies have in common?
- Carnival Cruise Lines
- General Electric
- Marriott International
All have reported data breaches in March of 2020. All of these large brands had their data breached in one month.
2019 saw a total of over 7,000 data breaches, exposing over 15 billion records.
It’s no wonder data privacy is on more minds than ever. The number of data breaches continues to rise, despite all of the new laws and regulations put into place. And there’s no guessing why governments are taking notice.
Laws such as GDPR and CCPA have been enacted, requiring companies to take data privacy seriously. These laws have teeth, with GDPR handing out over 200 fines for a cumulative $165 million in 2019.
The U.S. Federal Trade Commission has slapped Facebook with a $5 billion fine. Equifax had to fork over $575 million for their privacy misdeeds.
In the United States, up to 15 states have pushed through some sort of data privacy regulation. More are on the way.
The shifting sand of the data privacy landscape makes it difficult for companies to keep up. Always playing catch-up with the latest laws will only lead to frustration and a host of sleepless nights.
So how can companies comply with all of the data privacy regulations in an increasingly complex legislative environment?
A car’s shock absorbers help to keep the car stable over uneven surfaces. Similarly, you should aim to build your data privacy strategy so it can absorb new and changing regulations as they occur.
Let’s discuss the critical pieces of such a strategy.
How should a company comply with numerous new laws that are not finalized until a few months before their effective date?
A regulation-driven approach – a reactive method to address a dynamic set of regulations – cannot work. It leaves the company always behind on the compliance timeline, always struggling with contradicting requirements of different regulations and always shifting remediation priorities.
Therefore, companies need to be proactive by adopting a maturity-driven approach to data privacy that makes individual-focused practices the end goal.
Despite the many differences among regulatory requirements and varying focuses of the privacy regulations, they all entail certain mandatory, prerequisite steps:
- Drafting and maintaining a record of processing activities
- Defining a governance structure with assigned ownerships of major workstreams, and
- Designing the mechanism customers can use to request their data, instead of focusing on privacy policies and contractual clauses.
Laying the foundation in advance puts companies in a better position to adapt once legislation is finalized.
Involve the Business
One easy way to prepare for all possible regulations is to comply with the most stringent terms in each area. This is a good overall strategy, but when compliance efforts significantly impact business operations locally, the business should be involved in making risk-informed decisions.
For example, while GDPR requires active opt-in to contact consumers, CCPA only requires companies to allow individuals to opt-out of the sale of their personal information. In the U.S., aligning with this GDPR requirement could come at a heavy cost on the consumer base and potentially have a tremendous impact on marketing outreach.
In that case, working with the business, a tactical approach could be followed. For example, in the case of mass communication, EU residents should only be contacted if appropriate consent has been collected, while U.S. residents may still be contacted as long as an opt-out mechanism is provided.
Build a Roadmap
The road to compliance is long; it would be unrealistic to attempt 100% compliance right off the bat. As a matter of fact, many EU companies are still in the implementation phase of the new controls prescribed by GDPR, more than a year after it came into effect.
Instead, companies should start by evaluating areas of risk and project dependencies to develop a remediation roadmap that balances the company’s business needs and readiness posture.
Companies should be cognizant of their ability to deliver and address most sensitive processing activities first (e.g., based on the volume and sensitivity of the personal data implicated).
Additionally, companies may consider tackling first the most visible aspects of their privacy program (e.g., consumer-facing policies, data subject request submission mechanisms).
In the event of a regulatory examination or legal proceedings audit, a risk-based approach and a clearly devised plan demonstrate the company’s commitment to privacy and consumer-centric mindset.
Follow a Maturity-Driven Approach
As there are many uncertainties regarding the pending regulations, companies should focus on their similarities and common grounds. By aligning themselves with the regulations’ shared end-goal – protect personal data, and give individuals control over their data – companies are naturally on the right track for compliance.
Companies should start by identifying and implementing the main workstreams required by the existing regulations, such as the processing of data subject requests and the management of personal data breaches. Improving a company’s privacy posture is more akin to a marathon than a sprint, with compliance with various regulations as critical checkpoints, not the end goal.
Since the numerous regulations in the United States provide too many textual references for companies to follow, companies can turn to industry best practices as operational guides to take concrete steps towards improving their privacy maturity.
Learn How To Make Data Privacy a Core Business Function
Data privacy is no longer a second-class citizen.
Businesses today need to make data privacy a core business concern. Assign roles to ensure it’s handled properly. Prepare now for the coming wave of regulations.
We’d love to help you navigate the shifting sands of privacy legislation. Sign up for our webinar: Data Privacy: The Changing Regulatory Landscape & Customer Expectations to learn how you can prepare your business for data privacy regulations.
You’ll also be able to ask us and our friends at XPAN Law Group specific questions about how your business will have to adapt to ensure data privacy is a first-class business function.
Don’t wait until regulations change and companies are slapped with fines. The companies that’ll thrive in the coming years are those that take consumer privacy seriously and take the lead in guaranteeing consumer rights.