Two years ago, organizations were rushing to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR). After a flurry of activity and changes to privacy settings and disclosure, many felt they could move on once they’d checked that compliance box. But things have not remained static from a regulatory standpoint. In May, the European Data Protection Board published yet another update to GDPR implementations related to cookies preference management (Article 29). This is just the latest in a series of GDPR updates that have been issued over the last two years. Other circumstances have evolved as well, including with the ongoing pandemic and work-from-home changes organizations have adopted.
It seems timely for organizations to survey data privacy regulation in general, evaluate challenges arising from COVID-19, and explore best practices for data privacy programs under any jurisdiction. Since the GDPR, other data privacy measures have been under discussion or put into effect; many businesses will be subject to more than just one regulatory body. Violations of any data privacy regulation, unwitting or otherwise, could mean fines, reputational damage and expensive remediation activities.
Several of these themes were also explored in a recent Protiviti webinar, “Compliance + Collaboration: Tackling Data Privacy With OneTrust“.
GDPR
If memories need refreshing, the GDPR went in to effect on May 25, 2018. It applies to organizations that collect and process personal data of EU data subjects. The GDPR defines responsibilities for organizations to ensure privacy and protection of personal data, provides data subjects with certain rights, and assigns powers to regulators. Failure to comply with the GDPR can result in fines of up to 4% of a business’s global revenue. Since the GDPR went into effect two years ago, nearly 800 fines have been assessed.
COVID-19
In a short time, COVID-19 changed many business practices and raised more questions with regard to data privacy than answers. For example, would records related to employees’ daily wellness checks and staff notifications of coworkers testing positive for the disease be subject to privacy regulations? Remote working arrangements have added data privacy risk, too. An employer’s monitoring of employees working from home could be subject to data privacy regulation. When a transition to remote work is abrupt and unplanned, employees might work from unsecure environments; they may maliciously or unwittingly misuse customers’ personal data. Home environments facilitate such behaviors in a way that the office setting does not.
As of June 1, the U.S. Senate was preparing bipartisan legislation to require applications for contract-tracing and exposure notification to be deployed only in collaboration with public health authorities. As health officials try to help Americans establish whether they’ve come into contact with an infected person, the Exposure Notification Privacy Act would bar private businesses from releasing any application not approved by public health authorities, and establish other prohibitions and rights as well.
California and Other States
In 2018, California enacted the California Consumer Privacy Act (CCPA) to create “new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.” Rules elsewhere in the United States vary, but a number of other states have either passed or are considering their own data privacy laws.
Federal Trade Commission
In the U.S., even if a company never has to deal with GDPR or a state law like the CCPA, it is still subject to data privacy regulation. Throughout all states, the Federal Trade Commission (FTC) holds sway by enforcing the unfair and deceptive trade practices statute. According to its 2019 Privacy and Data Security report, it had “brought enforcement actions addressing a wide range of privacy issues in a variety of industries… matters include… 80 general privacy lawsuits.” From the FTC’s advice page on privacy and security: “Think your company doesn’t make any privacy claims? Think again — and reread your privacy policy to make sure you’re honoring the promises you’ve pledged.”
Shifts in Data Privacy Thinking
Shifting from a legal to a practitioner standpoint. Most businesses have evaluated privacy from a legal standpoint, listing the applications that house private data as their inventories. Having gained practical knowledge through enacting data privacy protections, businesses are now shifting from a legal to a practitioner approach. They’ve come to recognize that data privacy includes sharing, use and access by third parties, and that this requires a deeper understanding of information systems, vendors and relationships. They have realized that without developing data flows via a thorough data mapping exercise, they’d miss a lot of the information needed to comply with the privacy laws they have worked so hard to legally codify in their processes..
Shifting Focus to Culture. There’s a growing sense that data privacy compliance is less a matter of following rules and more about building a culture of privacy within the organization. Beyond publishing applicable policies, organizations must know precisely how data is used to ensure they’re following their own policies – not just at the application and data level, but across the entire organization. One business we know published a privacy policy that included a “how we don’t use your data” list. But through data-flow analysis, we determined they did use the excluded data. Without comprehensive data mapping, they didn’t have a clear picture of data use, so their own practices contradicted their policy statement, in violation of data privacy regulation.
Shifting from a project to a program perspective. At first, most businesses considered compliance with data privacy regulations to be a “one and done” project. Now, organizations recognize that data privacy is an ongoing effort, best organized as a program to monitor for and respond continually to new data types and new compliance obligations.
Your Data Privacy Program
A data privacy program is best built centrally within an enterprise to establish a pervasive culture of privacy that is consistent with the organization’s risk appetite. More businesses are designating a data privacy officer (DPO) role to drive data privacy from the top down. Smaller organizations that may not have dedicated DPOs may have trouble meeting the dynamic demands of privacy compliance without some form of outside assistance.
Compliance with privacy regulations centers on understanding how data is collected, processed, stored and transferred across the organization – and the globe. (The GDPR’s term for this data activity is a Record of Processing Activities [ROPA]; for other data privacy regulations, the concept is the same.) To have an effective ROPA, businesses need to understand how the data flows within and outside of the organization. Data mapping is not mandatory for building the ROPA, but it’s a powerful technique to understand key data processes within an organization.
To operate an effective data privacy program, organizations must:
- Develop a complete, detailed understanding of what the personal data is and how it is collected, processed, stored and transferred.
- Inventory data processing operations and supporting systems that collect, process and store the data.
- Explore how personal data flows throughout the organization.
- Identify current practices for protecting the data and ensure they’re in compliance with current data privacy policies.
- Demonstrate in a public way that privacy is a top priority.
- Build internal agreements and a customer-friendly communication plan to respond to consumer inquiries about privacy. (If the business expects a high volume of requests, automate these processes.)
As organizations are shifting from legally checking boxes for GDPR and other data privacy regulations to a practitioner’s approach, they are building out the foundation of privacy and deepening their understanding of data processes to allow them to meet their data privacy obligations and a true and effective operational manner. Exercises like data mapping allow them to bring the operational efficiency and effectiveness of their data privacy programs to life. To learn more, register to view the free on-demand version of our webinar at this link.
Read additional posts on The Protiviti View related to data privacy.