New Decade New Strategies: 5 Privacy Regulation Action Steps to Take in 2020
It’s a new year – and a new decade – and major scenarios abound for corporate decision-makers tasked with privacy management going forward.
That group includes compliance officers, risk management and security executives, and data analysts responsible for the dissemination, storage, and management of sensitive company information.
In fact, the company management of personal and institutional data is deemed as the biggest privacy risk for 70% of global companies, according to Gartner. That’s up from just 10% two years ago.
Couple that with the emergence of new data protection and privacy mandates – like the European Union’s General Data Protection Regulation (GDPR) and the brand new California Consumer Privacy Act of 2018 (CCPA), which seek to bolster individual’s personal data – and corporate data managers will have their hands full in 2020.
“Multiple countries are implementing regulations inspired by the GDPR principles, a movement that is likely to continue into the foreseeable future,” notes Bart Willemssen, a senior director analyst at Gartner. “These privacy requirements dramatically impact an organization’s strategy, purpose, and methods for processing personal data. Furthermore, breaches of these requirements carry financial, reputational and regulatory implications.”
That isn’t hyperbole. If Euroland companies run afoul of GDPR regulations, they’ll face financial penalties of either 4% of their annual global revenues or 20 million Euros in fines. The CCPA calls for cash penalties of between $2,500 and $7,500 per violation, with no ceiling on the number of fines the state attorney generals can levy on California companies.
Data Protection Issues and Actions in 2020
In that context, what trends are developing and how should companies properly manage changes, threats and opportunities revolving around data privacy issues in the new year (and a new decade)?
These five action items should be at the top of any data privacy “to do” lists:
Do your due diligence – and do it daily. Stricter data privacy regulations call for more disciplined research and study.
Consequently, stay abreast of data privacy news by establishing a daily alert via Google News, and use it as a pipeline for fresh updates on data compliance news and regulations. Regulatory compliance officials and other C-Level executives can also join the burgeoning number of data privacy groups like the International Association of Privacy Professionals, which can also provide news and updates. Additionally, other members can act as a sounding board to provide counsel on data security trends and issues.
Pull back the lens on company-wide data privacy management. Company managers responsible for data privacy should take an “upstream/downstream” view on securing company data, to better protect customer data privacy. That not only means knowing where your company resides at all times and knowing who makes use of it, it also means understanding how that data is protected.
For example, company data regulators should never grant third parties access to company data without proper vetting and fully understanding how an outside party will use that data.
As 2020 dawns, the era of a wild west mentality, where too many “unknowns” get access to company data is clearly over. A full sale upstream/downstream approach to data privacy management will let any interested party know there’s a new sheriff in town.
Stay ahead of privacy management tasks. All too often, companies trying to keep up with new risks, and compliance regulations wind up falling behind – often inadvertently. Software updates aren’t addressed, management talent comes and goes, and profit-generating company initiatives wind up taking all the oxygen out of the room, elbowing data privacy initiatives out of the picture. Don't let that happen to you in 2020, a year where the risk of regulatory action grows substantially higher.
That means getting out of “catch-up” mode and making sure data protection is an ongoing, even daily management task.
Put a good team together and have a contingency plan if a key manager or staffer leaves. Assign an IT specialist to make sure your company is keeping apace of regulatory software updates and deadlines. Have a data privacy task force manager responsible for checking in on a regular basis with updates and potential issues to cover. Schedule regular audits among company data sources and make them prove that their data management processes are compliant.
Now, more than ever, data privacy management is a “front-of-the-store” priority – and allowing it to slip to the back of the company task management list is a recipe for failure.
Get good regulatory compliance help. If you don’t have a compliance officer on hand (and in this regulation-heavy era, you should), hire an outside consultant who can help manage your company’s data privacy management process. A regulatory specialist steeped in the intricacies and nuance of ever-changing data privacy regulations and rules can help you steer clear of trouble and can wind up paying for itself as your data risk management strategy starts paying dividends.
Find a good third-party risk management specialist by asking business partners and acquaintances for leads, checking regulator’s updates and newsletters, or by attending regulatory technology meetings, dinners, and conferences and gathering information.
Establish a company digital ethics board. These days, it’s not enough to only have a risk management and compliance team working on data management issues. Too often those teams are mired in the day-to-day tasks associated with data compliance, and there’s no time to take the long view.
That’s where a digital ethics board can help.
Big picture issues related to data privacy like artificial intelligence machine learning, blockchain, among other game-changing trends, require a robust, long-term ethical policy. Key areas to cover with your data ethics task force include the intended use of data using new technologies, managing potential company-wide bias in how data is used, and how the never-ending flow of corporate data should and will be governed over the long haul.
Given the increasingly onerous regulatory climate data managers face, these considerations aren’t luxury – they’re a necessity.