Data privacy regulations are in flux, not only at the state and national level, but globally. Even as companies put the finishing touches on extensive preparations to comply with the European Union’s landmark GDPR law, new laws were introduced in the U.S. states of California, Vermont, Nevada, and Maine.
While new laws are being passed, those in effect are already being amended. There is already a new proposal, announced on October 23, 2019 by the Electronic Frontier Foundation, that would fundamentally change the definition of what comprises “personal information” in California. Further, the authors of the proposal are recommending the establishment of a supervisory body to oversee the data privacy regulation in California, bringing the California law even closer to the way the European GDPR is structured.
California is just one of 50 states, and the United States is just one of more than 100 countries that are writing and amending data privacy laws. And, at least so far, there doesn’t seem to be any consensus as to what data privacy rules will eventually look like. Even in the EU, where there was some uniformity under the GDPR, Brexit may still throw a spanner in the works.
The problem and proposed solutions are complex and evolving. The one thing that is almost certain is that companies aiming to comply with a specific regulation by a specific date are going to be disappointed as those near-term obligations are supplanted by new and different rules over the mid and long term.
If companies are confused about how to act in the face of this evolving situation, they have a right to be. Increasingly, the understanding among experts is that any privacy policy adopted today needs to be nimble and flexible enough to accommodate the very real likelihood of changes and updates. Any notion that privacy compliance is or will be a one-time effort is likely to cause frustration while driving compliance teams crazy.
Chances are that in five to seven years from now, a lot of this will be settled case law. But that’s cold comfort to companies that have to comply with a mishmash of disparate regulations today. So how does a responsible organization go about creating a data privacy program that will work today, and withstand the test of time?
One way to do that is by creating the compliance equivalent of basketball’s “zone defense” — a framework that addresses all the fundamental aspects of data privacy (use, transparency, data integrity, notifications, etc.) without being locked into any one specific compliance format.
One key aspect of building a flexible privacy compliance program is the establishment of a form of shared services operations under the direction of a dedicated chief privacy officer (CPO). This structure has been used successfully for more than two decades since the creation of healthcare privacy rules under the Healthcare Insurance Portability and Accountability Act (HIPAA) in 1996. Creating such structure provides a basis for not just complying with an individual law, but also for training and communications. It establishes a governance framework and a reporting structure with metrics and measurements to ensure that data privacy best practices are promoted and practiced throughout the company.
This can’t be accomplished overnight. Establishing an effective privacy compliance environment could take six months or more. Many companies have found it helpful to bring in third-party subject-matter experts to help develop the policies and build the program. While specific data privacy rules will continue to change and proliferate, the principles of managing these changes are well-established. By working ahead of the law, in comprehensive fashion, to build the structure around privacy, understand the principles, educate stakeholders and assign responsibilities for managing changes, companies can look to the uncertain future of privacy regulations with greater confidence.