How to Survive the Coming Data Privacy Tsunami
Prepare for new data privacy regulations by fortifying these eight focus areas.
- By Kristina Podnar
- June 17, 2019
Just as we became used to the idea that the EU's General Data Protection Regulation (GDPR) is a fact of life and made modifications in our data collection procedures, the Brazil General Data Protection Law (LGDP), the California Consumer Privacy Act (CCPA), and waves of other proposed new data privacy laws are forecasting a privacy tsunami heading our way. With so many acronyms swirling around, you could be easily be overwhelmed.
However, although you will need to pay attention to the details of individual data regulations as they arise, all the privacy regulations share a number of commonalities. By addressing these eight areas now, you will be safely on high ground when the waves begin to pound.
Accountability and Governance
Data privacy requirements are intended to motivate organizations to self-manage their data in a way that respects end users. To address accountability and governance requirements in your organization:
- Review the risk to your organization from data privacy issues, and consider alternatives, including insurance, in case you are fined
- Mandate that data privacy become part of the policy program, including staff training, measurement, and compliance reporting
- Clearly document roles, responsibilities, and reporting lines to embed privacy compliance
Consent and Processing
A fundamental requirement under most privacy regulation is that end users must be aware when, how, and why their data is collected -- as well as what happens to it after collection. To address this, your enterprise should:
- Review that the data being collected and used is necessary and for a specific purpose, such as completing a user's desired action
- Identify sensitive data and ensure it is treated as such through the use of special encryption or by validating vendor storage practices for sensitive data
- Confirm that you clearly capture and document user consent for data collection
- Confirm that you can modify or erase user data when needed
Notifications and Data Rights
Gone are the days of legalese or simply taking data from users because we can. Data privacy regulations require transparency, user awareness, and forthright behavior. Your organization should:
- Write user notices clearly so they can be easily understood—properly targeted to children where relevant—and reflect your specific data collection and use practices
- Create and test processes to correct and delete all user data if needed
- Develop a solution to give users their data in a portable electronic format
Organizations that treat privacy as a core design principle will always be in alignment with data privacy regulations. In my consulting experience, I see many self-disciplined organizations that have historically had good privacy practices and have little to address with each new law. To strengthen your privacy design:
- Create or update the policy and associated processes to embed privacy into all technology and digital projects
- Don't forget to embed privacy into projects outsourced to vendors and partners
Data Breach Notification
For many organizations, the question nowadays isn't whether your organization will have a breach, but rather when will it happen and how will you respond. To address this reality, your organization must:
- Create (or review and update as needed) a data breach policy and response plan to reflect detection, notification, and actions to mitigate loss
- Consider obtaining insurance for a possible data breach to cover regulatory penalties that your organization may face but not be able to handle on its own
- Incorporate data breach terms and requirements into all vendor and third-party contracts
New data privacy regulations state where data must be physically stored and the requirements for transferring it to another country. To handle this:
- Identify and update all cross-border data flows from the country where the data is collected
- Review data export procedures for both on-premises and cloud solutions
Children's Online Privacy Considerations
Data privacy regulations are concerned with all end users, but the rules are even stricter about children and their online data protection and rights. To get ahead of these issues, your enterprise should:
- Define what data you collect from children, whether as a business practice or through efforts such as "take your child to work day"
- Ensure your user notifications and online privacy statements are written so that a child could understand and clearly state whether parental consent is required to accept
Contracting and Procurement
Most businesses may struggle to understand exactly what personal user data is collected via websites, mobile applications, and other digital platforms, especially through third-party software solutions and vendors. To make sure that your organization isn't caught out, you should:
- Ensure that all vendor, customer, and third-party agreements reflect current data regulatory requirements
- Define procurement processes such that privacy is integrated into all products and services the organization buys
- Pay special attention to vendor policies on data minimization, the visibility of data flows, and data ownership
The Bottom Line
After years of collecting as much data as we could, we are starting to realize that all that data has an evil twin: risk. In addition, consumers have become more aware that their data is a valuable resource, and they're asking more questions about how it's used and who has access to it. Governments across the world are also starting to pay more attention.
Make sure that you get ahead of the coming waves of data privacy regulation today, or your organization risks drowning when they hit.