As we enter 2021, organizations are facing fatigue across multiple fronts, including the onslaught of new privacy legislation and enforcement, while trying to balance these risks with skyrocketing interest in data around the world. In this difficult time, organizations confronting competing demands on other regulatory fronts, along with budget and personnel cuts made worse by the ongoing COVID-19 pandemic, can easily feel overwhelmed at the challenges that come with addressing new privacy laws year after year.
Privacy offices must carefully plan to make sure they shape their programs and approaches to balance the risks and requirements most applicable to their organization and maintain the credibility needed to continue to mature their programs and adapt to these new challenges. This is not an easy task, but with increased enforcement and restriction on the use and movement of personal data, it is a risk that cannot be ignored.
The burden of these efforts, however, can be eased by a well-developed strategy that takes into account the dos and don’ts set out below.
Do understand your organization’s privacy footprint and risk
There is so much happening in the privacy world right now, and companies have had limited respite over the last few years, between the invalidation of Safe Harbor and the implementation of EU-U.S. Privacy Shield, the passage of EU General Data Protection Regulation and the California Consumer Privacy Act, along with the California Privacy Rights Act in November, the subsequent invalidation of Privacy Shield, and the related requirements imposed by the “Schrems II” decision, as well as new and pending laws across the world (Brazil, China, India), all with the threat of increased enforcement and litigation.
As important as it is to address these developments, without careful planning, privacy teams face the risk they will lose internal support from management and other critical teams, such as IT, as they dip into the well over and over for additional budget, resources and changes.
In certain instances, such as with the CCPA, it is also hard to point to significant enforcement activity yet because the law is so new and enforcement has inevitably been delayed to some extent by the pandemic. While this can make it harder to argue the law poses an actual risk to the organization if not appropriately addressed, experience with the GDPR and other new privacy regimes tells us that enforcement will come and increase over time.
To help strike the right balance, privacy teams should take the essential step of carefully evaluating where their organization’s true privacy risk lies rather than assuming all laws should be given equal weight. For example, the CCPA and now the CPRA have received significant and ongoing attention over the last few years, such that they are often top of mind for management and boards. But preparing for these laws should not be done in a vacuum.
For example, a global business-to-business company with employees all over the world but with limited individual consumer data collections will likely be better served by focusing initially on developing a strong employee privacy program and understanding the applicability of the “Schrems II” decision to its operation. It should also focus on how exceptions to the CCPA might be applied rather than prioritizing a CCPA compliance program over all other efforts or letting a GDPR compliance program stagnate while the focus shifts solely to the CCPA.
Conversely, a U.S.-headquartered consumer-focused company will need to more carefully balance its CCPA/CPRA efforts with those of the GDPR and other laws that impact consumer data collections, as the enforcement risks under the CCPA will be much higher in practice than for the B2B company described in the first example.
There is no doubt privacy teams must be aware of new privacy laws, enforcement trends and related information, but it is easy to be distracted by the latest headline. A thorough and ongoing evaluation of the actual data flows and exposure of the organization will help keep competing changes in perspective and shape effective messaging for decision-makers across the company.
Do leverage and combine existing efforts
While privacy laws around the globe are not the same, most have common threads (e.g., notice, data subject rights and breach notification obligations). To maximize efforts, resources and budget, it is important for privacy teams to consider applicable laws together and leverage existing efforts when possible. This will not be possible in all cases, but starting with a goal of consistency will help minimize duplication of effort or the need to implement and maintain a multitude of technical and operational privacy solutions across different jurisdictions when a more streamlined approach would be possible.
Do build bridges
A privacy program is truly only as good as the internal support it receives from critical lines of business within the organization.
If an organization does not implement technical solutions to address requests, such as rights of access or deletion, or to be prepared in the event of a breach, it is bound to miss the mark at some point in responding appropriately. Or if the privacy team is not informed of new changes to technology or uses of personal data, there could be important gaps in privacy notices or other important features of the existing privacy program.
To avoid these pitfalls, privacy teams should work to build bridges and open lines of communications with those individuals and teams that will put policies and procedures into practice, particularly the chief information security officer and IT organization.
These efforts at collaboration will help avoid surprise roadblocks to important or legally required changes, such as end-of-year moratoriums to technical changes or budget restrictions that cannot be overcome in a particular year, and generally, facilitate a smoother roll-out of critical solutions. They will also help avoid privacy burnout and build legitimacy for requests related to the evolving requirements, even as they are released in what feels to be rapid succession.
Building connections to the business teams that actually use data is also critical. The best result from both a business and compliance standpoint will always come from early discussions on how to build privacy considerations and controls into new initiatives. This will help avoid last-minute limitations to new initiatives or unanticipated privacy risks that can impact the success of the project or broader privacy risk for the organization.
Privacy teams should, therefore, work to establish strong lines of communication and trust with business teams, as well as an understanding of new technologies that drive these efforts to demonstrate an interest in being a solution-oriented partner rather than a force that limits innovation and potential revenue streams.
Don’t forget incident response
Security breaches continue to pose some of the most significant financial, operational and reputational threats to companies, particularly with so many forced to manage a remote workforce amid the pandemic. The threat from ransomware and other types of attacks will almost certainly increase, as well as enforcement and litigation. Therefore, any long-term strategy must include an ongoing assessment of information security and retention programs along with breach response plans to help tamp down the very real risks and costs associated with security incidents and data breaches.
Don’t panic
Building and maintaining an effective privacy program in today’s environment is daunting, but by taking the time to tailor the program to the organization’s actual needs and develop a strategy for working across the organization rather than in a silo, it is possible to continue to mature the program, protect the privacy and security of data and reduce risk in a meaningful way.
Photo by Jason Dent on Unsplash