Posts

SIGMA Insight: Personal Data Privacy in the Age of GDPR

In 2018, the European Union enacted a regulation on the protection and use of personal data entitled the General Data Protection Regulation, or GDPR. This resonates globally and has already spawned the first American privacy bill, the California Consumer Act, or CCPA. Both of them share the same idea: personal data should be treated well and kept sacred.

For our full take on the legislation, and how you can navigate your journey to compliance, download our Insight below.

We are providing this Insight as a framework for you to use as you consider the impact digital privacy laws have on your business goals. We present you with several facts and crucial actions you need to take as you confront data privacy challenges.

Here is just a taste:

What are these laws?

The most salient points of both regulations include protection of personal information, transparency, control, and remedy for misuse.

When should I be concerned?

While GDPR is already in effect in the EU, CCPA is approaching for California in January 2020, with similar regulations emerging in the US digital landscape soon after that.

Who needs to be involved?

Since nearly all employees touch some piece of sensitive information, they all should know about their companies’ privacy and security practices. The regulations also encourage consumers to manage their data with new tools. Meanwhile, companies can get substantial financial penalties for violating the regulations. But what can you do about it?

To rebuild the future, there are several possible steps to take.

  1. Build your team

Your robust data team and Data Protection Officer (DPO) should develop a formidable knowledge based on all things compliance, and a complete understanding of all those “who, what, where. how” questions about the data lifecycle.

  1. Update your data security model
  2. Test, test, test!

Implement and test to make sure what’s written in policy works in practice.

  1. Enable consumer controls

Customers should be empowered to direct how companies use their info, and how.

  1. Rethink action methodologies

Companies must try to comply with all data privacy requests, without bankrupting yourselves by doing so. Second, all companies in the custody chain need to communicate with one another. Finally, you need to prove that you’ve honored a data privacy request.

  1. Protect the custody chain

It’s up to compliant companies to eliminate the weak links in the chain of custody by denying work to non-compliant companies.

Attention to detail is needed as companies walk the path to compliance. If you can’t manage the process by yourself, SIGMA can lead you to your future state of complete compliance.

 

Download our SIGMA Insight


Compliance: The Final Frontier

A Guide to Data Privacy in the Era of GDPR, Part IV

Our three previous blogs have delivered you to the shore of a new world – one where consumers can see and control what happens to their digital presence, and where companies are expected to actively protect, serve, and empower them. You’re on the cusp of compliance: you’ve built the necessary policies and processes, and have cultivated a compliance-positive culture within your organization. Stepping onto that shore is stepping into the future, and the future is where true compliance lies.

So far, our focus has been on making material changes to your business. But we have approached them as point-in-time efforts; we didn’t pay much attention to the living nature of the future work they represent.  The new concepts of data protection and compliance live and breathe.  They evolve over time, which means that your company, and everything you’ve just built, needs to as well.

So how do you meet this challenge?  How do you stay compliant?

In the simplest terms, there are three aspects of GDPR, CCPA, and beyond that need constant focus and care:

  1. Co-managing consumer data with your partners
  2. Assisting your partners with their compliance practices
  3. Keeping your business in sync with new and evolving laws

We’ll delve more deeply into these topics in the SIGMA Insight, but I still want to emphasize their importance here.  If your efforts stop at your company’s border, and only your link in the data chain is strong, then you and all your partners won’t achieve compliance.  This is an opportunity for your company to become a leader in the space.  That’s what we have done here at SIGMA.

Your company must provide a guiding hand to all your partners. Test and question their practices, suggest improvements, and be firm when you need to.  It’s okay – and, in fact, a recommendation of the GDPR – to refuse to work with partners who can’t or won’t follow these laws. Lead by example and share what you know, and if necessary, flex your muscles at contract time. Make it known that you’ll only partner with companies who take consumer protection as seriously as you do, and who are always trying to be good digital guardians of the consumer information we know to be dearest.

When it comes to actions you take on behalf of a consumer, make sure you share what you’ve been told to do, whenever you’re told to do it.  Keep an open hotline to your partners, and again be a leader who ensures that everyone works in concert when there’s a data task in the offing.

Finally, and as important as anything we’ve done on this journey, keep your eyes and ears open for everything new that’s coming. In January 2020, you’ll be compliant with 2018 GDPR and ready for CCPA 1.0.  But you need to be ready for the possible 2020 and beyond GDPR revisions, CCPA 1.5 and 2.0, and whatever new state, federal, and world laws are announced in February, June, and December. Keep your data protection team activated, and be ready to leverage everything you’ve already learned to keep yourself ahead of the curve.

Thanks for taking this journey with us. Be sure to read our upcoming SIGMA Insight for an in-depth look at all things GDPR and CCPA, and how your company can join SIGMA as champions of consumer data protection.

Putting it All Together

In our first two installments of this blog series, we introduced the GDPR and CCPA, and helped you look inward at your organization to understand your company’s data protection practices. The grand plan, of course, is to move you from general awareness to restructuring your organization so it can thrive in the new era of digital data protection. That restructuring is the topic of today’s blog.  (And remember, at the end of this series, we’ll be publishing a full Insight on Data Privacy and Protection, so don’t forget to keep checking back!)

If you’ve done your due diligence, you’re reading this armed with a solid understanding of how data courses through your enterprise. You know how it enters, who touches it, what happens to it, where it goes, and how it’s expunged.  You know who is allowed to see it – or at least who is supposed to be allowed – and you understand the controls you have in place to manage it.  And you know what the GDPR and CCPA require in terms of new functionality: consumer contact tools, information disclosures, paper trails, etc.  Now it’s time make the material changes that will establish your company as compliant.

Writing new policies/controls can be time-consuming and complex, but shouldn’t be seen as a crisis.  You’ll probably engage a committee or have a leadership review, run through a few drafts as you find that the initial concept hits some technological snags, and ultimately come away with something robust and streamlined that fits fully with the privacy laws you’re trying to abide. When you’re comfortable with it, implement it. Everything you’ve done before is prologue – the main story starts now.

I’d be remiss if I didn’t mention one challenge you could face: for some companies, the cultural shift that goes hand-in-hand with these policies might be harder to manage than their actual rollout. For example, some companies have an informal, honor system-based access request process: Analyst Bob asks IT Kyle for access to ABC Widget’s customer database because he needs to do some work, and IT Kyle bops into Active Directory to grant it. While that works in the pre-GDPR world, it’s forbidden in the compliant one. Forcing Analyst Bob and IT Kyle to file a form, cite the proper business justification, and leave an easy-to-follow paper trail, could be jarring – and actually seen as a barrier to productivity.  Same with Marketer Sheila who wants to email a spreadsheet of contacts to Data Processor Tina at your subsidiary in Tacoma.  So you’ll need to work internally to demonstrate the value of the new processes, while acknowledging that things might not be as easy as they were in the wild frontier-land your old processes created.

Next, you’ll deploy your new contact forms, open an 800 number, and validate your information request and action certification forms. If all goes well, you are almost ready to open your doors to the new land of compliance.

Tune in next week for the final stop on this journey…

Knowledge is Power

A Guide to Data Privacy in the Era of GDPR, Part II

When last we left you, you were staring into the jungle of data protection laws known as the GDPR and CCPA. The question at hand was where to begin.

Charting a path through unknown territory, especially with these laws’ high stakes, seems like a daunting task. By reading this far, you’ve developed a sense of what’s ahead, and understand that making these changes is not going to be a quick weekend effort. But without a map to guide you, you can’t see your way to success. That said, it’s impossible to craft a good one right out of the gate; you’ll build your map as you head toward complete compliance. It all depends on your organization’s current state.

As the title of this post suggests, knowledge is powerful. You’ll need to thoroughly understand your company’s systems and practices to complete the hard work ahead. That’s how you should frame this first part of your data protection work: a survey of the terrain, and a discovery of what you don’t know about the consumer data in your care, and the structures that support it.

Think of it as an audit, but with a focus on system security, access privileges, and data sharing. Start by examining everything. Involve your IT teams, your security managers, your data analysts and more. Get to know exactly how your company works, and then document it. Because that’s the map you actually need, and the foundation for the work we’ll talk about in our next post.

Stay tuned for part three of this blog, and SIGMA’s upcoming Insight on the subject.

Welcome to the Jungle

A Guide to Data Privacy in the Era of GDPR, Part I

In 2018, the European Union enacted a regulation on the protection of personal data, and the free movement of such data, entitled the General Data Protection Regulation, or GDPR. It stands out as the most comprehensive and optimistic attempt to protect consumer data in the digital age. It establishes strict rules for data processing, details citizen’s rights regarding their data, and envisages a penalty structure for companies that act carelessly or in bad faith. Most importantly, this law started a conversation on data privacy that resonates globally, and which has already spawned the first American privacy bill, The California Consumer Privacy Act, or CCPA.

If you work with consumer data, there’s a good chance you’re already familiar with common privacy regulations, security best practices, and the potentially catastrophic consequences of a breach. The GDPR and CCPA raise the stakes, and are likely the first wave of an oncoming tide of similar laws. And while European companies have already largely reconfigured their practices to comply with the GDPR, many American companies haven’t. Multinationals are already playing by the new rules, but smaller companies – companies with only local ties and no contact with Europe – have yet to begin. For them, it’s the January 2020 enactment of the CCPA that turns this from a distant concern to an immediate need. Your company may not market widgets in the EU, but there’s a good chance that you’ve got data on at least one Californian widget buyer. That means the CCPA applies to you.

“But wait,” you say, “I run a little mom-and-pop operation in Des Moines, Iowa, and my website only gets 1,000 visitors a year, and I’m really not known outside my county. Surely none of this applies to me.”  It’s true that if you aren’t currently holding data on citizens covered by the laws, then you really don’t have anything new to comply with. But that doesn’t mean you can’t, and certainly doesn’t mean you shouldn’t. These two regulations are the first falling pebbles of a landslide of consumer protections that will eventually reach into every business in America – including those little shops in Des Moines. Consumers want to be protected, and business should want to protect them.

There is already a lot to unpack with GDPR and CCPA. They represent a formidable amount of work, like auditing and analyzing business practices, developing and testing systems and security controls, deploying new web sites and phone numbers, and establishing new ways of doing business. The timer is already running, accompanied by whispers of more new laws on the horizon. Companies need to start working today, and need to internalize what these laws represent, so that this workload doesn’t become a barrier to survival. It’s time to act.

That brings us to a critical question: where do we begin?

Stay tuned for part two of this blog, and an upcoming SIGMA Insight on the subject.