How to Survive the Coming Data Privacy Tsunami
Photo by Priscilla du Preez.
Just as we have gotten used to the idea that the EU’s General Data Protection Regulation (GDPR) is a fact of life and have made modifications in our data collection procedures, the Brazil General Data Protection Law (LGDP), the California Consumer Privacy Act (CCPA), and waves of proposed new data privacy laws are swirling in the calm preceding a privacy tsunami heading our way. All these privacy regulations share a number of commonalities, and by addressing them now, you will be on high ground as the waves begin to pound.
The compliance life raft
1. Accountability and governance
At the heart of data privacy requirements is the aim to have organizations develop a plan to manage their own data in a way that respects end users. To address accountability and governance requirements in your organization:
- Review the applicability and risk to the organization from data privacy issues, and consider alternatives, including insurance, in case you are fined
- Mandate that data privacy become part of the policy program, including staff training, measurement, and compliance reporting
- Clearly document roles, responsibilities, and reporting lines to embed privacy compliance in your standard procedures
2. Consent and processing
A fundamental privacy regulation concept is that end users are aware when and why their data is collected and what happens to it once it’s given. To address these requirements:
- Review that the data being collected and used is necessary and for the benefit of completing a desired action by the user
- Identify sensitive data and ensure it is treated as such through the use of special encryption or by validating vendor storage practices for sensitive data
- Confirm that user consent for data collection is clearly captured and documented and that user data can be modified or erased
3. Notification and data rights
Gone are the days of legalese or simply taking data from users because we can. Data privacy regulations require transparency, user awareness, and forthright behavior by businesses.
- Write user notices clearly so they can be easily understood—properly targeted to children where relevant—and are reflective of specific data collection and usage purposes
- Create and test processes to correct and delete all user data if needed
- Develop a solution to give users their data in a portable electronic format
4. Privacy design
Organizations that treat privacy as a core design principle will always be in alignment with data privacy regulations. In my consulting experience, I see many self-disciplined organizations that have historically had good privacy practices and have little to address with each new law. To get to that state:
- Create or update practices to embed privacy into all technology and digital projects, including those outsourced to vendors and partners
5. Data breach notification
For many organizations, the question nowadays isn’t whether the organization will have a breach but rather when will it happen and how will they respond. To address regulatory breach aspects:
- Create (or review and update an existing) data breach policy and response plan to reflect detection, notification, and actions to mitigate loss
- Consider and obtain insurance for a possible data breach and regulatory penalties that the organization may face but not be able to handle on its own
- Incorporate data breach terms and requirements into all vendor and third-party contracts
6. Data localization
New data privacy regulations state where data must be physically stored, and if transferred to another country, what the requirements are for doing so. Your organization will be well positioned to meet this requirement if it can answer:
- Have we identified and updated all cross-border data flows from the country where the data is collected and reviewed data export for on-premise and cloud solutions?
7. Children’s online privacy considerations
Data privacy regulations are concerned with end users and are even more strict about children and their online data protection and rights. It is best to get ahead of these issues by:
- Defining what data it collects from children, whether as a business practice or through efforts like “take your child to work day”
- Ensuring user notifications and online privacy statements are written in a way that a child could understand them and stating that parental consent is required where necessary
8. Contracting and procurement
Many businesses struggle to understand exactly what personal user data is collected via websites, mobile applications, and other digital platforms, especially through third-party software solutions and vendors. To address this issue:
- Review and ensure that all vendors, customers, and third-party agreements reflect data regulatory requirements
- Define procurement processes such that privacy is integrated into all products and services the organization buys, including regarding data minimization, the visibility of onward data flows, and data ownership
The bottom line
After years of collecting as much data as we could, we are starting to realize that all of that data has an evil twin: risk. In addition, consumers have become more aware that their data is a valuable resource, and they’re asking more questions about how it’s used and who has access to it. Governments, too, are starting to pay attention. Make sure that you get ahead of the coming data privacy regulatory waves before it becomes an unmanageable problem.
Kristina Podnar is a digital policy innovator. For over two decades, she has worked with some of the most high-profile companies in the world and has helped them see policies as opportunities to free the organization from uncertainty, risk, and internal chaos. Podnar’s approach brings in marketing, human resources, IT, legal, compliance, security, and procurement to create digital policies and practices that comply with regulations, unlock opportunity, strengthen the brand and liberate employees.