Kw: Data Privacy Compliance
As per the recent statistics, over 42% of the world population is online and are spending increasingly more time online. But while the current browsers and mobile devices help 3+ billion people go online, they also help many companies collect a lot of data on individuals without the specific knowledge or permission of the individuals. The growing concern over data security and consumer privacy has led to creation of many laws which make the organizations that capture data to be more accountable of how they share and manage their customer data.
The General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA and now CPRA) in the USA and the Brazilian Data Protection Rules (BDPR) are such laws that aim at consumer data privacy compliance.
While such regulations are still in their infancy and most of the lawsuits and fines have been targeted towards data breaches and large organizations, there is a mind shift happening in the consumers where consumers expect the businesses to have good controls around their data collection and usage.
- Don’t delay
Many of the new laws can be non-prescriptive and vague which is why close monitoring of the regulations has its own challenges. What is personal information, how it should be managed and the rights of the data subjects are defined poorly and open to interpretation.
Also, the definition of sensitive data changes from one geography to another. Trade union information is considered sensitive in Europe however credit card information is not. A company may use these uncertainties to delay and drag their responsiveness on the privacy and data security programs, however these delays can prove to be very costly.
- Don’t do regulatory whack-a-mole
Crafting a data privacy and protection program to meet the demands of a variety of set of laws and regulations is tough but not impossible. An organization focusing on data management architecture requirements like commonalities and core principles before focusing on regulation specific requirements and checklist-style. Once the basics are met the other technical needs can be addressed.
The 5 compliance keys
So, what should be the common requirements and principles that should act as the foundation of a data protection and privacy program. Let’s outline five keys for data privacy compliance.
- Identify personal information
Identification of personal information is a common necessity of all laws. This includes tracking the flow of personal data through all applications where this data is shared and stored. Identification is very important as most companies don’t even know what is private information, and data protection goes for a toss.
Online identifiers e.g., cookie IDs, mobile device IDs and IP addresses are also considered personal data in by many privacy regulations. So,it is essential to first identify what is considered personal data and where your organization is storing such data. There should always be an effort to not only have an inventory of data but awareness as to why you have it and what you want to do with it.
There are numerous data discovery solutions. Any such solution could get you started with discovering personal data within your organization. Moreover, your IT team could provide a list of systems that hold personal data.
Once you have identified the systems holding personal data, the next step is to ensuring that the data is secure and there is policy in place for data access and sharing.
- Secure personal data against breaches and unauthorized access
Appropriately locking centralized databases is an easy way to secure personal data. The real challenge is data resting on the fringes and classified as customer information.
Data security needs to cover data at rest in databases and flat files as well as data access. Most data leakages happen through insecure APIs or abuse of automated business logic, and not only because the API’s have a lesser protection, but also because they allow access and removal at a high rate. The problem with securing personal data across the business is that there are many inter-departmental applications in use that are designed to share data. Trying to interfere with that can hamper productivity.
It is a better approach to monitor the personal data usage and apply the policies as per your organization’s data protection plan. Protection of customer data should not stop at the boundary of the enterprise but has to extend to the third parties and partners. The third parties need to always be monitored about how they are protecting your customers’ data.
With data security and access control out of the way, the third key is to get a solution in place that helps with making the data available to the individual in case of an authorized request.
- Setup a system accountable for responding to customer’s queries about their own data
This system should be able to gather the customer’s information from inside your organization in a scalable format and not only from your CRM, email marketing or customer service system, but from all systems including the online data collection systems. A manual process to find out that information will be time consuming and even more so when multiple people request it at the same time.
Visibility and automation should be at its very best while dealing with user requests. Most organizations lack visibility into all the systems and hence have difficulty in understanding what data they have, where it is and in which form. At the same time, they also lack automation which makes the process even more cumbersome.
Additionally, compliance regulations apply as per the customer’s location and profile, so the solution should be able to either provide the same customer experience and similar data privacy rights to all your customers or have features to discern regulations applicable to a customer based on their location.
Big tech companies e.g., Google and Facebook that have massive amounts of data on individuals have built out easy to use self-serve systems. You can go into your account in Google, and Facebook and view or download all the data they have on you. With the right solution, such ease of use could be replicated within your enterprise as well. Such a solution would not only help you comply with privacy compliance requests but also would build consumer trust and lift your brand image.
- Creation of a reporting process
The privacy compliance system that offers the visibility into all the personal data that your business has on an individual should also be able to offer reporting, auditing mechanism along with serving other regulatory requirements e.g., ability to get a copy of the data or the ability to request updates to the personal data.
- Process of compliant data deletion
Another common norm in data protection and security is the right of people to have their personal data deleted or de-linked with them. However, organizations must be careful to not delete the data that needs to be retained as per regulations.
The integrity of the database also needs to be maintained while deleting or de-identifying the data as it could create challenges with the data remaining within the organization.
Data Privacy Compliance is an important consideration for all businesses and is increasingly tied to brand trust and customer experience. With a solid foundation to the privacy program, additional regulatory requirements would require lesser efforts to comply.