A version of this post appeared in Corporate Compliance Insights.
Would you find it surprising that almost half of privacy officers consider building a privacy program as their top priority? Perhaps one would expect that privacy programs would have been built in the run-up to the GDPR (May 25, 2018). In our view, this is an indication that companies may be treating compliance as a tactical “check list” project and are now struggling with how to handle the multitude of privacy laws that just keep coming.
The Need for Timely Compliance
If reporting on the status of your data privacy compliance has not yet become a focus or priority for your board, it soon will be. Corporations and, in particular, corporate directors have a number of responsibilities and liabilities as part of their compliance and oversight obligations. Privacy is becoming an increasingly important topic at the board table and shareholders are also holding their boards accountable. Just last year, a shareholder suit was launched against a U.S. public company, and some of its officers and directors, for allegedly making false and misleading statements to investors about the impact of privacy regulations and the third-party business partners’ privacy policies on the company’s revenue and earnings. While we expect GDPR compliance to remain high on the radar of corporate boards, focus will expand as organizations turn their attention to the United States with the passing of state-level privacy legislation in California, Nevada, Texas, and numerous other states with legislation in flight.
Challenges to Timely Compliance and Practical Solutions
What is standing in the way of accelerating time to compliance in your organization? In our experience, we see the challenges privacy officers face typically fall into three categories: staying current on legislation, engaging the business and taking a “wait and see” attitude to upcoming legislation.
Challenge One: Staying current on privacy regulations/legislation across multiple jurisdictions
While a lot of attention has been on new legislation coming from across the US and around the world, it is also important to note that regulatory bodies are also updating existing laws on an ongoing basis.
Solution: This is one area where a software tool can be a big help in keeping up to date on laws and regulations in relevant jurisdictions. Nymity Research and Alerts pushes knowledge to you on relevant cases, legislation, and regulatory activity. Customized priority topics easily alert you to areas where your current program or compliance activities need adjustment as well as provide insight into potential areas of future risk to your business. This can save countless hours of research time from internal resources or, more importantly, it can save the cost of paying outside counsel to determine compliance activities.
Challenge Two: Embedding privacy responsibility into the business
While privacy has become a more integral part of business planning and strategy, our recent Privacy Pulse survey report showed more than half of privacy professionals rated the privacy knowledge of their business as moderate to very low. Employees outside of the privacy charter may not only lack general awareness of internal policies and procedures but the privacy landscape generally, and thus the impact and risks of a lack of privacy compliance can pose to the business.
Solution: Using business friendly language (not technical privacy “legalese”), articulate the roles and responsibilities of each business, priorities for compliance, the rationale, and the impacts to the business if they get it wrong. Leveraging tools and methodologies that use the language of the business, is an effective solution for clearly outlining privacy management activities that need to be implemented and documented. It also highlights any cross-functional dependencies to be considered in executing their privacy compliance tasks on an ongoing basis.
Challenge Three: Taking a “wait and see” approach to compliance
The evolving privacy landscape from a regulatory perspective is murky and unpredictable to say the least. While overall, we are seeing an increased sense of urgency from organizations, particularly as it relates to upcoming California Consumer Protection Act (“CCPA”) compliance, there are those that are opting for a “wait and see” approach and delaying compliance efforts until ambiguities in the law are clarified and the amendment process is completed. If the GDPR taught us anything, preparation is critical and the longer organizations wait, the harder it will be to meet compliance timelines, creating risk to your business.
Solution: The US is not unique in introducing consumer data privacy rights. Approximately 113 countries and regions have data subject rights requirements as part of their laws. Many rights are common around the world and figure in well over 100 laws. These include transparency rights, correction requests, the right of access, and right of deletion. Although there will be nuances from state to state (and even country to country), the core consumer rights around access and deletion will be the common denominator in the CCPA and other state and global laws, and the perfect place to get started.
Getting Started: Lessons from GDPR
If your company is required to be GDPR compliant, you likely already have key foundational elements that can be leveraged in CCPA compliance and other state laws dealing with data subject requests. For example, under Article 30 of the GDPR you would have had to complete a record of processing activities (ROPA). Capturing the purposes of processing, categories of individuals, categories of personal data for GDPR can also be repeated for compliance with the CCPA, even though a full inventory is not required by law. You can easily extend your ROPA established under the GDPR to cover CCPA specific elements such as whether the data is sold to third parties. Even if you have not completed this exercise for the GDPR, this is another great place to start preparing for state legislation as it gives you the ability to communicate to the business in a language they will understand, simplifying the process of identifying the data, the purpose, and what data they need for the purpose of processing (for example, payroll and benefits).
Preparing for CCPA and other state or global privacy regulations does not (and should not) be a “wait and see” approach. By leveraging research tools to stay on top of legislative developments in near real-time, engaging with the business in a conversation about risk in a language they can understand, and taking advantage of work you have done to address common denominators in data subject rights can go a long way in mitigating risk for your organization and, ultimately minimize your time to compliance.
Nymity has a number of tools to help you move beyond “wait and see” and proactively prepare for compliance with CCPA and more.