No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

GDPR to CCPA and Beyond: Overcoming Challenges to Timely Privacy Compliance

Solutions to Mitigate Risk and Minimize Time to Compliance

by Teresa Troester-Falk
July 12, 2019
in Data Privacy, Featured
gold lock on blue background

The new California Consumer Privacy Act (CCPA) is shaping up to be the toughest privacy law in the U.S. Nymity’s Chief Global Privacy Strategist, Teresa Troester-Falk, discusses what organizations need to do to adapt to the changing U.S. privacy law landscape.

Would you find it surprising that almost half of privacy officers consider building a privacy program as their top priority? Perhaps one would expect that privacy programs would have been built in the run-up to the GDPR compliance deadline (May 25, 2018). In our view, this is an indication that companies may be treating compliance as a tactical “checklist” project and are now struggling with how to handle the multitude of privacy laws that just keep coming.

The Need for Timely Compliance

If reporting on the status of your data privacy compliance has not yet become a focus or priority for your board, it soon will be. Corporations and, in particular, corporate directors have a number of responsibilities and liabilities as part of their compliance and oversight obligations. Privacy is becoming an increasingly important topic at the board table and shareholders are also holding their boards accountable. Just last year, a shareholder suit was launched against a U.S. public company and some of its officers and directors for allegedly making false and misleading statements to investors about the impact of privacy regulations and the third-party business partners’ privacy policies on the company’s revenue and earnings. While we expect GDPR compliance to remain high on the radar of corporate boards, focus will expand as organizations turn their attention to the United States with the passing of state-level privacy legislation in California and Nevada, as well as numerous other states with legislation in flight.

Challenges to Timely Compliance and Practical Solutions

What is standing in the way of accelerating time to compliance in your organization? The challenges privacy officers face typically fall into three categories: staying current on legislation, engaging the business and taking a “wait and see” attitude to upcoming legislation.

Challenge #1: Staying Current on Privacy Regulations/Legislation Across Multiple Jurisdictions

While a lot of attention has been on new legislation coming from across the U.S. and around the world, it is important to note that regulatory bodies are also updating existing laws on an ongoing basis.

Solution: This is one area where a software tool can be a big help in keeping up to date on laws and regulations in relevant jurisdictions. A research tool that pushes knowledge to you on relevant cases, legislation, regulatory activity and customized priority topics should be able to easily alert you to areas where your current program or compliance activities need adjustment as well as provide insight into potential areas of future risk to your business. This can save countless hours of research time from internal resources and, more importantly, it can save the cost of paying outside counsel to determine compliance activities.

Challenge #2: Embedding Privacy Responsibility into the Business

While privacy has become a more integral part of business planning and strategy, more than half of privacy professionals rated their business’ privacy knowledge at moderate to very low. Employees outside of the privacy charter may not only lack general awareness of internal policies and procedures, but also of the privacy landscape generally, and thus the impact and risks a lack of privacy compliance can pose to the business.

Solution: Using business-friendly language (not technical privacy “legalese”), articulate the roles and responsibilities of each business, priorities for compliance, the rationale and the impacts to the business if they get it wrong. Leveraging tools and methodologies that use the language of the business is an effective solution for clearly outlining privacy management activities that need to be implemented and documented. It also highlights any cross-functional dependencies to be considered in executing their privacy compliance tasks on an ongoing basis.

Challenge #3: Taking a “Wait and See” Approach to Compliance

The evolving privacy landscape from a regulatory perspective is murky and unpredictable to say the least. While overall, we are seeing an increased sense of urgency from organizations, particularly as it relates to upcoming California Consumer Protection Act (CCPA) compliance, there are those that are opting for a “wait and see” approach and delaying compliance efforts until ambiguities in the law are clarified and the amendment process is completed. If the GDPR taught us anything, preparation is critical and the longer organizations wait, the harder it will be to meet compliance timelines, creating risk to your business.

Solution: The U.S. is not unique in introducing consumer data privacy rights. Approximately 113 countries and regions have data subject rights requirements as part of their laws. Many rights are common around the world and figure in well over 100 laws. These include transparency rights, correction requests, the right of access and right of deletion. Although there will be nuances from state to state (and even country to country), the core consumer rights around access and deletion will be the common denominator in the CCPA and other state and global laws – and the perfect place to get started.

Getting Started: Lessons from GDPR

If your company is required to be GDPR compliant, you likely already have key foundational elements that can be leveraged in CCPA compliance and other state laws dealing with data subject requests. For example, under Article 30 of the GDPR, you would have had to complete a record of processing activities (ROPA). Capturing the purposes of processing, categories of individuals and categories of personal data for GDPR can also be repeated for compliance with the CCPA, even though a full inventory is not required by law. You can easily extend your ROPA established under the GDPR to cover CCPA-specific elements, such as whether the data is sold to third parties.

Even if you have not completed this exercise for the GDPR, this is another great place to start preparing for state legislation, as it gives you the ability to communicate to the business in a language they will understand, simplifying the process of identifying the data, the purpose and what data they need for the purpose of processing (for example, payroll and benefits).

In preparing for CCPA and other state or global privacy regulations, corporations should not adopt a “wait and see” approach. Leveraging research tools to stay on top of legislative developments in near real time, engaging with the business in a conversation about risk in a language they can understand and taking advantage of the work you have done to address common denominators in data subject rights can go a long way in mitigating risk for your organization and, ultimately, minimizing your time to compliance.


Tags: California Consumer Privacy Act (CCPA)GDPR
Previous Post

Risky Women Radio

Next Post

Entering Greece: Mitigating FCPA Risk and Maximizing Opportunities in a Global Economy

Teresa Troester-Falk

Teresa Troester-Falk

Teresa Troester-Falk is Chief Global Privacy Strategist at Nymity and a thought-leader in the privacy industry, helping identify the future needs of privacy professionals by engaging with customers, privacy and data protection regulators, key policy groups/thinktanks and other privacy thought leaders. Teresa leads some of Nymity’s key accountability research initiatives and collaborates with other internal leaders to help innovate privacy accountability and compliance solutions and ensure organizational success. Teresa is co-responsible for Nymity’s external thought leadership; she authors Nymity whitepapers and other publications and regularly speak at conferences, advanced privacy forums and on webinars. Teresa has over 20 years of experience in law, including 14+ years as a global privacy professional. Prior to joining Nymity, she served as Associate General Counsel (Privacy) for Nielsen, where Teresa expanded the global privacy program as well as initiating and leading key global and regional privacy and data protection programs and strategies and driving the relationships across internal and external stakeholders to advance the company’s privacy agenda.

Related Posts

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

cpo and ciso

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

by Maria D'Avanzo
September 28, 2022

As a former chief privacy officer (CPO) of a publicly traded commercial real estate services firm, Maria D’Avanzo worked in...

Next Post
greek flag flying over santorini

Entering Greece: Mitigating FCPA Risk and Maximizing Opportunities in a Global Economy

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT