According to the most recent Chief Legal Officers Survey conducted by the Association of Corporate Counsel (ACC), 60% of respondents reported that they expect to see an increase in the volume of privacy regulatory enforcement in 2022. This should come as little surprise, since we are in a ramp-up period to new and more stringent regulation, with legislation in various states coming into force next year. Meanwhile the pending California Privacy Rights Act (CPRA) creates and funds a separate enforcement agency. And a new privacy law in China, while only six months old, is already causing concern given the Chinese government’s reputation for stringent regulatory enforcement. Moreover, there are also sweeping privacy laws being revised, enacted or actively enforced in Canada, India and Brazil.
News of high profile data breaches and ransomware attacks demonstrate the high cost of poor data governance—from multi-million dollar fines to the incalculable reputational damage that is leveled against a brand when a data privacy violation is made public. It is clear that the time to start building a sustainable and scalable data protection/privacy program is now. The following four principles will help guide you as you embark upon your data privacy journey.
1. Establish a Defensible Data Inventory
If you do not know what data you have, where you have it, why you have it and who you are sharing it with, then your ability to react effectively to a data breach or respond compliantly to individual rights requests will be severely hampered. In fact, without this organizational foundation of establishing a robust, actionable data inventory, you have limited chances of success achieving any legal GRC objective.
Data lives across all areas in just about every functional department—legal, IT, marketing, services, sales, and the list goes on. Often, data exists in places many of us are not even aware of, due to either institutional knowledge that has long since left the organization or a lack of documentation and maintenance of important data sources. This emphasizes the importance of engaging leaders across the organization to help understand what is being and has been collected, with whom that data was shared, and where it currently resides.
“If your data is all over the organization, it's going to be much harder to delete it, find it, access it, and centralizing its location is very important,” said Dave Navetta, partner and vice chair of cyber/data/privacy for Cooley LLP. “ If you don’t know where your data is and you don’t know where it’s being sent to, you can’t comply with the CCPA. That’s a hard stop, period.”
2. Incorporate Informed Consent
The notion of informed consent has become a staple of modern privacy law, at least conceptually. While not every regulatory regime dictates that organizations must obtain affirmative, explicit consumer consent to the collection of their data, they all require some form of notification, and some kind of explicit or implicit agreement to terms, opt-in or restriction. Following the passage of the EU’s General Data Protection Regulation (GDPR), consumers were inundated with consent requests that popped up in front of websites.
This “cookie consent” stop-gap measure was crude in function but served its purpose as few organizations had enough time to properly embed these informed consent requirements into the framework of their existing websites. Other stopgap measures such as providing a link to a long and complex privacy policy might feel like it meets this burden, but most regulators would likely disagree.
Today, the rules have been tightened and earlier approaches often fall short of new requirements. We are past the time where users will tolerate consent with dark patterns or that functions as a gate to limit access. Instead, it needs to be smoothly integrated into the user journey. This requires a lightweight broker that provides comprehensive consent across multiple channels—whether it is from the web to multiple owned or third-party applications—in order to deliver a uniform user experience to consumers based on their selected preferences.
“The laws and expectations around privacy are shifting to user-enabled control over their personal information,” said Justine Phillips, an attorney with DLA Piper. “Getting ahead of the shift will put organizations in a better position as these laws continue to emerge. We’re at a point where consent can no longer be an afterthought to consumer experiences.”
3. Be a Data Minimizer, Not a Data Hoarder
Marie Kondo tapped into the cultural zeitgeist a few years ago by challenging people to consider the belongings in their home and to ask themselves whether or not a particular item “sparked joy.” If it did not, then it should be summarily discarded. In a similar fashion, good data governance begins by reducing your data stores to include only what is essential and nothing more. For all the potential value that data holds, archived data also represents a minefield of potential risk and liability, whether via a data breach, a ransomware attack, lawsuits, investigations or data subject access requests (DSAR) from a customer or employee
Ironically, many of the most damaging data breaches have often targeted outdated or unused information in legacy systems rather than the data that resides in crucial business applications. Consequently, these businesses needlessly exposed themselves to plaintiff claims for not properly safeguarding their customer data while providing regulators with the justification they required to bring enforcement actions for not maintaining reasonable security practices.
The practice of data hoarding is part of a broader cultural dynamic. “Many organizations have a culture where they find some comfort in retaining data. ‘Why dispose of it if we might want it in the future?’” said Alan Friel, partner and co-chair of the global data practice at Squire Patton Boggs LLP. “It’s more of an emotional attachment to the data than a legitimate business purpose. We want organizations to shift their mindset to that of a healthy spring cleaning. The clear legislative trend is to impose purpose and retention limitations that preclude retention after the collection purposes end, and where an ongoing purpose justifies retention, the retention should be limited to that purpose and only for so long as it continues to apply.”
Most privacy regulations also require that data controllers carefully consider the purpose of the data they are collecting and that they should be wary of not collecting more than is necessary to accomplish that goal. Purpose limitation is an essential obligation that compliance teams must consider when scoping their data privacy program. Practically speaking, this means that one must be able to clearly articulate the purpose of the personal data being collected, how they plan to use the data, and ensure the data is not used for any other secondary purpose that was not articulated at the time of collection.
4. Invest in Automation Capabilities
The sheer volume of data being generated on a daily basis by today’s enterprise makes the laborious task of complying with an evolving regulatory landscape all the more challenging. Whether maintaining a comprehensive inventory of your data management and governance policies, building a defensible data retention practice, or responding to discovery and DSAR requests, a manual-based approach to meeting these burdens is expensive, inefficient, and prone to error. That is why many organizations are investing in purpose-built technology platforms that can deliver automation and scale to these types of record requests.
The importance of automation becomes evident when looking at the costs that can be incurred when responding to DSARs. Gartner estimates the cost of manually retrieving consumer data at $1,500 per request so it is easy to see how the cost of processing dozens or hundreds of DSARs can consume multiple full-time employee salaries. And when the CPRA is enacted, those costs will likely be dwarfed by employee DSARs which under GDPR can easily cost organizations tens of thousands of euros to fulfill each individual request.
“DSARs are becoming increasingly commonplace,” said Peter Stockburger, managing partner at the law firm Dentons. “Manually responding to DSARs as they come is not an ideal state for most organizations. Automation is one way organizations can stay ahead of the curve. Although the volume of DSARs may not be outrageous, the scope of data subject to the requests will continue to change, as will the types of individuals capable of making such requests. Automation drives the cost down in responding to DSARs and makes operations more efficient, more effective, and a better experience for the consumer.”
While data privacy regulations can feel like an onerous burden in the short-term, they also provide an opportunity for businesses to drive operational improvements in their own data management processes and most critically, will go a long way towards building trust with your customers over the long haul.