Privacy leaders are feeling the pressure to build impactful and wide-reaching programs for complying with data privacy laws around the world, but creating a program that maximizes influence can be challenging. By taking the process one step at a time, companies can be empowered to build a privacy program that drives institutional change in their organization.
Changes in Privacy Law Around the World
Privacy laws are quickly evolving around the world. Companies doing business in the United States, Europe, and China should be familiar with the new and changing privacy laws in those jurisdictions and structure their privacy programs to comply with these laws as soon as they go into effect or are updated.
California’s current privacy law, the California Consumer Privacy Act (CCPA), will soon be replaced with new legislation, the California Privacy Rights Act (CPRA). With the creation of an entirely new privacy agency, companies’ compliance with California privacy laws will be under more scrutiny than before. During the new privacy protection agency’s recent public meeting, it was announced that they will not be able to meet their deadline of July 1, 2022 to finalize CPRA privacy regulations, so businesses will have less time than they had anticipated to make sure their practices are in compliance with the CPRA before it goes into effect on January 1, 2023.
Virginia & Colorado also have new privacy laws going into effect in 2023. Both the Consumer Data Protection Act (CDPA) of Virginia and the Colorado Privacy Act (CPA) allow consumers to opt out of sales and targeted ads. Colorado has more enforcers and will require universal opt-out in 2024. Both states’ laws provide consumers with the right to appeal a business’s denial to take action within a reasonable time period.
Following Brexit, there are many changes to privacy law within the European Union & United Kingdom. The General Data Protection Regulation (GDPR) is a privacy law targeted at organizations that collect data from people in the European Union. It went into effect on May 25, 2018 and carries penalties that can reach into the tens of millions of euros. The EU and the UK both have new standard contractual clauses (SCCs) ensuring appropriate data protection safeguards, which can be used as a ground for data transfers from the EU to third countries.
China passed its own privacy law, the Personal Information Protection Law (PIPL), which went into effect on November 1, 2021. Although we are awaiting some promised regulations, it includes new terminology and legal mechanisms for overseas transfers. Companies doing business in China and marketing to Chinese nationals must comply with the PIPL, and large companies have additional obligations.
What Does Data Privacy Mean Today?
Data privacy is a sprawling societal challenge that is wide-reaching and multi-faceted, and it takes a team to manage. In addition to being a challenge for legal compliance, especially considering the fragmentation and complexity in laws and regulations around the world, it’s also an evolving area of data ethics. Privacy involves the theoretical struggle between transparency and control, and touches on product design and user interfaces. Privacy is not only about laws. It means a lot of different things to different people: socioeconomic challenges, evolving laws and regulations, engineering principles, compliance obligations, data science and ethics, security arms race, and brand differentiation.
To be successful, a privacy program needs to be cross-functional. It requires the support of champions across the entire organization to make it function. A privacy program can not function well if the program’s aspirational objectives are not supported from the top down. Executive leaders must lead their company’s privacy program.
The foundation of any privacy program is for its managers to know what data they have, why they have it, where it is, how it is shared, and to communicate this back to their users. The responsibilities of a privacy manager are many, but they are manageable with a smart system. Privacy managers should employ these five basic concepts to be able to respond to emergent challenges:
- Detect. Find unknown systems containing personal data in the organization.
- Map. Maintain an up to date map of where all personal data lives, and how it is used within the organization.
- Operationalize. Automate privacy workflows, data subject requests (DSRs), and consent. Data managers should place their people and processes strategically in order to enable adaptation.
- Comply. Monitor risk, create audit trails, and report on progress.
- Communicate. Create a positive privacy experience for data subjects. Make it easy for them to submit requests through forms. Continue to build a trusted relationship through accessible privacy policies.
“If you tie these five basic concepts together, you will be a lot more nimble and agile in responding to all these different emergent challenges.”
-Alex Krylov, Senior Privacy Advocate, DataGrail
California’s privacy law has led the way and cleared a path for more privacy laws in the United States. The total volume of data subject requests in California nearly doubled from the year 2020 to 2021. Not surprisingly, the cost of privacy regulations for businesses also doubled in that time period. Consumers are proactively exercising their rights to privacy and taking steps to reduce their online footprints. The goal of a healthy privacy program is to be agile in responding to the challenges of evolving privacy laws.
How to Start a Privacy Program
Businesses who are starting a privacy program should become familiar with the privacy laws of the jurisdictions in which they do business, consider the specific needs of the company based on their business operations, and examine the company’s legal obligations to data privacy. A robust privacy program requires enough structure to meet the requirements of the relevant privacy laws, while also maintaining enough flexibility for future adaptation. A privacy company like DataGrail can help companies build robust privacy platforms that empower people with more control over their privacy and identity.
Simple Steps to Start:
- Take an inventory of the types of data the company collects or has access to, and the purpose for access of that data.
- Create a plan for the company to follow in order to arrive at a position of compliance to the applicable privacy law(s).
“Your biggest supporters in building out a privacy program are always going to be your product design and engineering team. They are the ones building out the data stores; they’re going to know what data resides where, especially in your custom-built back-ends.”
-Heather Wood, Head of Privacy Programs, Outreach
Deliverables
Companies should be sure to create written policies and processes in order to keep themselves and their customers safe. Here are some types of deliverable documents that ensure accountability and responsibility under privacy law.
- Data maps, flows, and holdings enable a company to produce “records of processing activities,” which are required by Article 30 of the GDPR.
- A privacy impact assessment weighs the benefits and risks of data processing activities, taking into account the context of the processing and mitigation efforts. This is important to have for both privacy and security. Companies that operate in the EU will already be familiar with privacy impact assessments, and these documents will soon be required under the CPRA, as well as Colorado’s and Virginia’s privacy laws. These assessments will require input from a company’s IT and legal departments.
- After the Schrems II case, an international transfer impact assessment may be required for some transfers out of the EU and UK.
- Contracts with third parties need to be monitored for compliance with relevant data privacy laws.
It is good business hygiene to maintain strong policies for data minimization, routine deletion, complaint monitoring, and following through on promised actions.
How to Align a Privacy Program with Core Business Objectives
Companies should align their privacy policy with the company’s business objectives and mission. Companies can determine which departments are likely to be the most impacted by privacy programs and work with them to get stakeholders there invested in the company’s privacy projects. Understand what each department needs and how the privacy program can help them.
- Ask each department head how they are using and collecting data. Listen to understand.
- Instead of mandating privacy practices for all departments, treat the process as a collaboration.
- Help each department to buy into privacy practices by having a conversation about why it’s important, how departments can look forward and plan ahead together, and why there is value in robust privacy practices.
- Educate members throughout the company of the fines that could be incurred for violating privacy laws.
- Help each department to understand how aligning their operations with privacy policies benefits them.
Less is More
Although the collection of high quantities of data can be useful for companies, more data also exposes the company to a higher risk from a privacy and security perspective. Personal information is protected under many different privacy laws, even if it is “anonymized.” Spoiler warning: most data that companies think of as anonymized or de-identified still actually qualifies as personal data under most privacy laws. If there are enough data points, it is possible to triangulate the identity of an individual, even if there was an attempt to anonymize the data. That’s why it’s important to continuously educate each member of the organization on how personal data is defined under the law and how the company processes the information. And in cases where a company does need to collect large amounts of data, they should ensure that these decisions are done thoughtfully and with appropriate safeguards in place.
DataGrail & SixFifty Solutions
DataGrail is a privacy platform that helps companies build robust privacy platforms that empower people with more control over their privacy and identity. DataGrail’s platform eliminates complicated, manual and time-consuming processes associated with emerging privacy laws. We find and untangle the terabytes of data companies have, make sense of it, and organize it into an easy-to-use privacy program. DataGrail automates data subject requests, performs unified preference management and ensures accurate data discovery, which is foundational to any privacy program. Request a demo with DataGrail!
SixFifty’s Privacy toolset can help you determine how to best handle your organization’s data and generate customized legal documents required by privacy laws around the world. We are continuously monitoring this dynamic area of the law and updating our tools with changes in real time. Working with SixFifty is like having top-tier privacy lawyers by your side as you work through the best way to comply with your privacy law obligations. Schedule a demo with SixFifty today!
