Posts

Putting it All Together

In our first two installments of this blog series, we introduced the GDPR and CCPA, and helped you look inward at your organization to understand your company’s data protection practices. The grand plan, of course, is to move you from general awareness to restructuring your organization so it can thrive in the new era of digital data protection. That restructuring is the topic of today’s blog.  (And remember, at the end of this series, we’ll be publishing a full Insight on Data Privacy and Protection, so don’t forget to keep checking back!)

If you’ve done your due diligence, you’re reading this armed with a solid understanding of how data courses through your enterprise. You know how it enters, who touches it, what happens to it, where it goes, and how it’s expunged.  You know who is allowed to see it – or at least who is supposed to be allowed – and you understand the controls you have in place to manage it.  And you know what the GDPR and CCPA require in terms of new functionality: consumer contact tools, information disclosures, paper trails, etc.  Now it’s time make the material changes that will establish your company as compliant.

Writing new policies/controls can be time-consuming and complex, but shouldn’t be seen as a crisis.  You’ll probably engage a committee or have a leadership review, run through a few drafts as you find that the initial concept hits some technological snags, and ultimately come away with something robust and streamlined that fits fully with the privacy laws you’re trying to abide. When you’re comfortable with it, implement it. Everything you’ve done before is prologue – the main story starts now.

I’d be remiss if I didn’t mention one challenge you could face: for some companies, the cultural shift that goes hand-in-hand with these policies might be harder to manage than their actual rollout. For example, some companies have an informal, honor system-based access request process: Analyst Bob asks IT Kyle for access to ABC Widget’s customer database because he needs to do some work, and IT Kyle bops into Active Directory to grant it. While that works in the pre-GDPR world, it’s forbidden in the compliant one. Forcing Analyst Bob and IT Kyle to file a form, cite the proper business justification, and leave an easy-to-follow paper trail, could be jarring – and actually seen as a barrier to productivity.  Same with Marketer Sheila who wants to email a spreadsheet of contacts to Data Processor Tina at your subsidiary in Tacoma.  So you’ll need to work internally to demonstrate the value of the new processes, while acknowledging that things might not be as easy as they were in the wild frontier-land your old processes created.

Next, you’ll deploy your new contact forms, open an 800 number, and validate your information request and action certification forms. If all goes well, you are almost ready to open your doors to the new land of compliance.

Tune in next week for the final stop on this journey…

Knowledge is Power

A Guide to Data Privacy in the Era of GDPR, Part II

When last we left you, you were staring into the jungle of data protection laws known as the GDPR and CCPA. The question at hand was where to begin.

Charting a path through unknown territory, especially with these laws’ high stakes, seems like a daunting task. By reading this far, you’ve developed a sense of what’s ahead, and understand that making these changes is not going to be a quick weekend effort. But without a map to guide you, you can’t see your way to success. That said, it’s impossible to craft a good one right out of the gate; you’ll build your map as you head toward complete compliance. It all depends on your organization’s current state.

As the title of this post suggests, knowledge is powerful. You’ll need to thoroughly understand your company’s systems and practices to complete the hard work ahead. That’s how you should frame this first part of your data protection work: a survey of the terrain, and a discovery of what you don’t know about the consumer data in your care, and the structures that support it.

Think of it as an audit, but with a focus on system security, access privileges, and data sharing. Start by examining everything. Involve your IT teams, your security managers, your data analysts and more. Get to know exactly how your company works, and then document it. Because that’s the map you actually need, and the foundation for the work we’ll talk about in our next post.

Stay tuned for part three of this blog, and SIGMA’s upcoming Insight on the subject.

Welcome to the Jungle

A Guide to Data Privacy in the Era of GDPR, Part I

In 2018, the European Union enacted a regulation on the protection of personal data, and the free movement of such data, entitled the General Data Protection Regulation, or GDPR. It stands out as the most comprehensive and optimistic attempt to protect consumer data in the digital age. It establishes strict rules for data processing, details citizen’s rights regarding their data, and envisages a penalty structure for companies that act carelessly or in bad faith. Most importantly, this law started a conversation on data privacy that resonates globally, and which has already spawned the first American privacy bill, The California Consumer Privacy Act, or CCPA.

If you work with consumer data, there’s a good chance you’re already familiar with common privacy regulations, security best practices, and the potentially catastrophic consequences of a breach. The GDPR and CCPA raise the stakes, and are likely the first wave of an oncoming tide of similar laws. And while European companies have already largely reconfigured their practices to comply with the GDPR, many American companies haven’t. Multinationals are already playing by the new rules, but smaller companies – companies with only local ties and no contact with Europe – have yet to begin. For them, it’s the January 2020 enactment of the CCPA that turns this from a distant concern to an immediate need. Your company may not market widgets in the EU, but there’s a good chance that you’ve got data on at least one Californian widget buyer. That means the CCPA applies to you.

“But wait,” you say, “I run a little mom-and-pop operation in Des Moines, Iowa, and my website only gets 1,000 visitors a year, and I’m really not known outside my county. Surely none of this applies to me.”  It’s true that if you aren’t currently holding data on citizens covered by the laws, then you really don’t have anything new to comply with. But that doesn’t mean you can’t, and certainly doesn’t mean you shouldn’t. These two regulations are the first falling pebbles of a landslide of consumer protections that will eventually reach into every business in America – including those little shops in Des Moines. Consumers want to be protected, and business should want to protect them.

There is already a lot to unpack with GDPR and CCPA. They represent a formidable amount of work, like auditing and analyzing business practices, developing and testing systems and security controls, deploying new web sites and phone numbers, and establishing new ways of doing business. The timer is already running, accompanied by whispers of more new laws on the horizon. Companies need to start working today, and need to internalize what these laws represent, so that this workload doesn’t become a barrier to survival. It’s time to act.

That brings us to a critical question: where do we begin?

Stay tuned for part two of this blog, and an upcoming SIGMA Insight on the subject.