Many privacy professionals rightly think data has become a "beast" within their company. Across the enterprise, business units, product managers and engineers have been given varying degrees of autonomy to develop their own internally and externally hosted applications, tools, data repositories, cloud stores and other systems.
They often have limited visibility of how their decisions to collect, copy, store and share data will impact the company's broader privacy compliance program. They also tend to focus on optimizing their systems to achieve business goals and may not prioritize paying attention to their systems' support of privacy compliance procedures.
At the same time, data privacy laws are proliferating. State privacy laws are adopted with increasing frequency, and federal and non-U.S. privacy requirements continue to expand. These privacy laws confer robust rights for individual data subjects and impose corresponding obligations on companies. Awareness of privacy rights is also increasing, and plaintiff's firms, class action lawsuits and regulatory enforcement actions are escalating privacy-related risks.
The old ways do not work very well
In the past, privacy pros could find ways to make privacy compliance work. Data subject access requests and other rights requests could be handled via manual procedures to query application owners and respond promptly. Governance of personal information, while not perfect, could also be managed. The old ways, however, do not seem to work well anymore.
Companies are experiencing a rapid increase in the frequency and complexity of DSARs, creating strains on manual response procedures. In the midst of cyber incidents, companies find sensitive personal information scattered within impacted, unstructured data repositories, obligating them to make data privacy breach notifications. Given the general proliferation of data, companies find it increasingly challenging to implement retention and secure deletion policies throughout their systems.
Privacy pros are making inroads, but going deeper is better
Privacy pros are working on many levels to make inroads. Workflow management tools are available to help track the intake, execution, and return of DSARs and other requests procedurally. Front-end cookie management tools can automate opt outs and consents from targeted marketing campaigns if properly configured. Data discovery tools can help to automate portions of the data discovery aspects of DSARs, and data deletion tools can help remove personal information from company systems.
Privacy pros could also benefit from working directly with company engineers and business teams to establish technical controls for the full lifecycle of personal information collection through deletion. This should involve collaborative efforts to develop and implement data classification, tagging, inventory, retention/deletion and overall data privacy governance. From a data privacy compliance perspective, this could help facilitate responses to DSARs, assure timely deletion of personal information when no longer required and overall data governance, and reduce the amount of personal information in unstructured data repositories to manage privacy risk in cyber incidents. From a business perspective, the benefits include better organized data that can be more easily utilized in a privacy-friendly manner that supports artificial intelligence, machine learning and other initiatives. Perhaps more fundamentally, this approach could help build customer trust by facilitating DSAR responses and mitigating privacy and cyber incident risks.
7 tips for aligning with engineers and business teams
How can privacy pros align more closely with company engineers and business teams?
1. Do the homework on how privacy law obligations apply at a systems level
From an engineering perspective, privacy laws impose various performance standards on company systems. It is helpful to think in these terms when preparing for discussions with engineers and business teams. Conceptually, privacy laws impose performance standards at three different points in the data lifecycle: during the collection of personal information, during the use and processing of personal information, and at the end of the data lifecycle.
Privacy pros need to "boil down" the privacy requirements in the expanding array of state, federal and non-U.S. privacy laws as they apply to the company's systems. This is not easy. Privacy laws are typically drafted based on the regulators' general notions of privacy principles and rights, which are not easily translated into concrete standards for implementation. Moreover, globally, regulators have broad authority to establish privacy requirements tailored to their philosophies, so companies need to deal with different and sometimes conflicting privacy law obligations.
For example, with respect to consent management issues, the EU ePrivacy Directive and the EU General Data Protection Regulation generally require prior express opt-in consent for advertising and other nonessential cookies.
In contrast, apart from sensitive personal information considerations, U.S. state privacy laws allow these cookies so long as implicit opt-out consent rights are provided and properly communicated to data subjects. Similarly, the Virginia Consumer Data Protection Act and the Colorado Privacy Act establish general express opt-in consent obligations for sensitive personal information collection and processing, as does the GDPR. In contrast, the Utah Consumer Privacy Act establishes an implicit opt-out requirement for any processing beyond providing the product or service for such data. The California Consumer Privacy Act requires the provision of opt-out consent to limit the use or disclosure of sensitive personal information.
Divergences also arise with respect to DSARs and data subject rights more broadly. For example, the Virginia, Colorado and Iowa privacy laws provide exemptions from DSARs and deletion rights for pseudonymized personal information under certain conditions, but comparable exemptions are not established under the CCPA or the GDPR. Various other exceptions and limitations apply with respect to data subject access, deletion, objection and other rights across privacy laws in different geographies and industry verticals.
Privacy pros will need to make decisions about consolidating these various privacy law obligations into performance standards that can be digestible by engineers and business teams. In some cases, privacy pros may suggest adopting a higher standard across the board to reduce friction and streamline implementation across jurisdictions. For example, although Utah's privacy law and the CCPA allow opt-out approaches concerning sensitive personal information, a privacy pro might recommend consideration of an express opt-in approach generally with ongoing opt-out rights to address Virginia and Colorado's privacy laws, the GDPR and other jurisdictions that establish higher express opt-in consent requirements.
Privacy pros might also consider the regulatory regimes too divergent to reconcile in some cases, so different implementations on the front end are needed. For example, the GDPR definitions and requirements on cookies are so different from U.S. state laws the company may wish to deploy one front end to users in the EU with its specific disclosures and requirements and a different approach for users in the U.S.
Importantly, privacy pros should approach business teams with recommendations and insights into privacy law requirements and participate in robust discussions to identify options and solutions, but generally should avoid making final decisions on privacy risk issues for the company. Privacy laws pose business and privacy risks, and senior business leaders are in the best position to make the final decisions on these issues. For more context on the privacy professional's role, see this article on applying privacy laws by understanding their meaning, assessing associated risks and accounting for other compliance obligations.
2. Make recommendations for handling data classification from a privacy law perspective
Each company is different, but for many a core issue will be specifying when or under what circumstances data collections about customers or other data subjects rise to the level of personal information, i.e., the definitional trigger for the application of many privacy laws.
Personal information is typically defined as any information about an identified or reasonably identifiable natural person, but different privacy laws can establish different definitions. Moreover, privacy laws can establish different standards for deidentifying/anonymizing personal information. And privacy laws can establish various thresholds for when personal information should be subject to a heightened degree of protection as "sensitive" personal information.
Companies in different industry verticals and business lines can diverge significantly as to whether or when they collect and process sensitive personal information. It is important bring informed recommendations regarding the scope of the company's processing activities concerning such sensitive personal information to discussions with engineering and business teams. For engineers, proper data classification will be foundational for the next steps of data tagging, inventory and overall data governance.
3. Align the business case
When making the business case internally to go deeper with engineers and business teams, think broadly about what other stakeholders would benefit from the exercise. Perhaps most directly, the compliance unit can benefit from better organized and scalable response procedures for DSARs, data subject requests and general broader data privacy compliance.
Cyber and information security can benefit due to reduced personal information found within unstructured data and other repositories and reduced risk of privacy breach notifications. Legal can benefit from having better organized information to search in the context of e-discovery and other investigations. Business teams can benefit with more organized datasets for AI, ML and other applications. Perhaps most importantly, the business will benefit from enhanced customer trust through more streamlined responses to DSARs and mitigated risks from privacy and cybersecurity issues.
4. Be strategic with whom to engage and look for opportunities
Without a forcing event to bring the issue to senior management's attention, many privacy pros would find it challenging to succeed in making a broad proposal for a large-scale investment in data privacy engineering. It would be better for privacy pros to be strategic about finding a business unit, product team or functional area more inclined to pursue improvements. It can also be helpful to look for opportunities to raise the idea with senior leadership, such as in a spin-off transaction, a data migration to the cloud, an IT transformation, or the "lessons learned" review after a significant cyber incident. Success on discrete, specific matters can establish the groundwork for large-scale initiatives that senior leadership will support and appreciate over time.
5. Focus on vendors and third-party disclosures
In terms of scope of effort, it is important to focus on the disclosure of personal information to vendors and third parties. This can be an area of significant privacy risk, and it will take a concerted effort to apply the privacy controls developed with engineering to such disclosures, both from a contractual perspective and from a technical perspective. This effort may involve the company's procurement teams, engineers and product managers.
6. Leverage information security governance.
Given the escalation of cyber risk over recent years, many companies have established well-developed information security governance teams and procedures to help manage cybersecurity risk. Privacy pros may find their company has good muscle memory with how to do security governance, and often, those procedures can be leveraged for better privacy implementation in a faster and more reliable manner.
7. Look for ways to bridge the gap
In many respects, the fundamental point of the exercise is bridging the gap between privacy pros who know the privacy laws and engineering, product and technical teams who design and implement the systems for the company. Privacy pros should work on both sides of that equation. Reading a privacy engineering book, taking an online class and/or asking an engineering colleague will give them a primer. At the same time, privacy pros should offer training to small or large groups on the aspects of privacy laws discussed above. The engineers and business teams can help guide them on where and how the privacy issues appear within the product development lifecycle. These teams can be tremendous allies in spotting and remediating privacy issues to which privacy pros would never have had visibility.
The road ahead
At the end of the day, this is a great time to be a privacy pro. Given the proliferation of privacy laws and risk, combined with the reality that data is critical for business, companies need skilled privacy pros more than ever. Over time, a privacy professional who knows the privacy laws and collaborates closely with engineering and business teams should be able to enhance privacy compliance, build customer trust and tame the beast of their company's data.