GDPR Lessons - Proactive Privacy Protection – Being prepared for the next GDPR
In the wake of the European Union's (EU) General Data Protection Regulation (GDPR), governments worldwide are implementing privacy laws and regulations.
Over 80+ countries and territories have implemented or are planning to implement their unique rules. The State of California recently passed the CPRA, which amends the existing CCPA, the latest privacy protections for individuals and businesses.
As these privacy protections continue to expand and become more comprehensive, organizations must become proactive in their approach.
Organizations and individuals leverage new privacy regulations to gain control over their private data as soon as possible. Within hours of the EU's General Data Protection Regulation (GDPR) coming into effect, Austrian privacy activist Max Schrems and his non-profit None of Your Business (NOYB) lodged complaints against Google and Facebook, seeking damages of $8.8 billion. Being unprepared is costly.
To become proactive in your approach to privacy; focus on these four key areas:
Establish a Culture of Privacy
Organizations need everyone thinking with an eye to privacy and protecting the organization's data and its stakeholders. Education initiatives that provide yearly "check-the-box" training initiatives are a good start. Expand these programs to build continual awareness and incentives for your people to identify issues and provide solutions to current and potential privacy concerns. In organizations that use personally identifiable information to power business processes; every member of the organization touches this data and is involved in the processes that utilize it. Building a culture of awareness provides an early warning system for highlighting potential problems.
Evaluate your Partners
A discussion of partners cannot exclude the cautionary tales of Cambridge Analytica and other breaches in the partner networks of other organizations. It is more important than ever to scrutinize the behaviors, controls, culture, and compliance of partners that utilize or have access to your data assets. Entrusting other organizations with your data is analogous to providing them access to your bank accounts. The same level of scrutiny and oversight is necessary. Implementing a robust partner evaluation process and on-going audit programs are essential. Ensuring your partners also have a culture of privacy is imperative. A breach with your partners is a breach for you.
Communication of privacy and the organization's dedication to privacy control and custodianship of customers' and partners' data is not just a requirement but a competitive advantage. Being open and direct with your stakeholders and letting them have full disclosure on your use and care of privacy data and other sensitive assets builds trust and also increases the likelihood of increased access to and relationship building using their data. The naming and promotion of the DPO role within the organization is only a first step. Establishing and supporting the position with a voice and a requirement to be an outward advocate and communicator of the organization's approach to data privacy and data protection creates a proactive approach. Building trust develops early warning capabilities with stakeholders and ensures a team approach rather than an individual organization, or even worse, a protectionist approach.
Review your Technology
Several technologies can also help organizations proactively manage their sensitive data. As the size and scope of data within organizations grow, they need to leverage more advanced and agile technology that incorporates AI and machine learning to maintain a capability to understand and be aware of risks. What complicates the process further is adopting more disconnected technologies with different data types, storage mechanisms, access, and formats. Look for technologies that can harmonize the discovery, categorization, and provide enhanced tools to protect the data using AI. Additionally, look for vendors who keep innovating on the technology and offer services that can help your organization address challenges, offer advice and input, and continue to educate on emerging requirements.
Privacy is a requirement that is not going away and is continually increasing in scope and compliance requirements. Ensure your organization is prepared and, more importantly, proactive.