The U.S. regulatory scope that privacy professionals are staring down pales in comparison to the global scale, which features 130 regulations to contend with and more on their way. Yes, the number of U.S. states with regulations greatly differs from the global range, however, developing privacy programs isn't any easier from either angle.
A&E Networks Vice President of Privacy and Compliance Counsel Maggie Gloeckle, CIPP/US, CIPM, CIPT, FIP, sees the U.S. regulatory landscape for privacy as "gaining steam" with 15 states currently holding proposed legislation. The question that follows those pending laws is how does an organization manage compliance when each state is requiring something different?
In a workshop at the IAPP Privacy. Security. Risk. conference in Las Vegas, Nevada, Gloeckle and a cross-section panel of privacy pros addressed areas and plans worth considering when structuring a privacy program to meet multiple regulations. One example of regulatory variance Gloeckle pointed to in the U.S. is how states handle data breaches. She added that most organizations are additionally dealing with global compliance to varying degrees, which leaves a hoard of taxing management responsibilities.
"It's a significant amount of work," Gloeckle said. "In the end, you're going to have to ask yourself, 'What do I keep as my baseline?' and then how do you tune all that for the specific environments that you're in? You really do need that baseline to work from."
A baseline privacy program boils down to what an organization views as an essential principle or value that a privacy program can carry over from one regulation to several others. The panel used a baseline model from the Centre for Information Policy Leadership as its guide within the session. Gloeckle suggested that the easiest way to develop a baseline is to use guidance set forth in different regulations and generate takeaways from past violations and consent orders.
One scenario in which a baseline program comes in handy is when organizations are blindsided by new regulations. Gloeckle and Mercer Chief Data Privacy Officer Jo Davaris, CIPP/US, both alluded to Nevada's consumer opt-out law, which takes effect Oct. 1, and how it "really snuck up on people." Davaris said that organizations that were prepared for the California Consumer Privacy Act were better prepared to check the compliance boxes for Nevada's law given the similarities between the two regulations. The proposed regulations in play mean there's a chance such a sneaky scenario will happen more often, which makes a baseline program that much more important.
"We've been tracking comprehensive regulations, as well as the little ones that pop up," Davaris said. "There are going to be more and more of these regulations because comprehensive regulations can't be passed due to the political environment of a state. They're going to pass something to say that they have something to protect consumers."
Baseline program principles for U.S. regulations can also come from global compliance efforts. Perkins Coie Partner Dominique Shelton Leipzig, CIPP/US, referenced considerations from the EU General Data Protection Regulation, but talked more specifically about how current or proposed regulations across the globe all work off of six compliance principles offered up by France's data protection authority, the CNIL. According to Leipzig, the CNIL's phases include privacy leadership, data inventory, gap assessment, impact assessment, mitigation and record-keeping practices.
"Those kind of seem like the principles everyone in the world really cares about," Leipzig said, adding that the California attorney general's office has used the CNIL's principles while developing guidance for the CCPA.
Partnerships and collaborations are another avenue worth exploring while trying to structure a sustainable privacy program. AvePoint Chief Risk, Privacy and Information Security Officer Dana Simberkoff, CIPP/US, said general interactions within an industry or across other industries gives organizations a unique chance to learn and pick up new perspectives.
"There are different forums and opportunities to get in front of regulators or work with your peers," Simberkoff said. "Chances to ask 'what's working for you?' or 'how are you handling or thinking about this?' Opportunities like those are definitely areas worth investing in for your program."