The new California Consumer Privacy Act (CCPA) is shaping up to be the toughest privacy law in the U.S. Nymity’s Chief Global Privacy Strategist, Teresa Troester-Falk, discusses what organizations need to do to adapt to the changing U.S. privacy law landscape.
Would you find it surprising that almost half of privacy officers consider building a privacy program as their top priority? Perhaps one would expect that privacy programs would have been built in the run-up to the GDPR compliance deadline (May 25, 2018). In our view, this is an indication that companies may be treating compliance as a tactical “checklist” project and are now struggling with how to handle the multitude of privacy laws that just keep coming.
The Need for Timely Compliance
If reporting on the status of your data privacy compliance has not yet become a focus or priority for your board, it soon will be. Corporations and, in particular, corporate directors have a number of responsibilities and liabilities as part of their compliance and oversight obligations. Privacy is becoming an increasingly important topic at the board table and shareholders are also holding their boards accountable. Just last year, a shareholder suit was launched against a U.S. public company and some of its officers and directors for allegedly making false and misleading statements to investors about the impact of privacy regulations and the third-party business partners’ privacy policies on the company’s revenue and earnings. While we expect GDPR compliance to remain high on the radar of corporate boards, focus will expand as organizations turn their attention to the United States with the passing of state-level privacy legislation in California and Nevada, as well as numerous other states with legislation in flight.
Challenges to Timely Compliance and Practical Solutions
What is standing in the way of accelerating time to compliance in your organization? The challenges privacy officers face typically fall into three categories: staying current on legislation, engaging the business and taking a “wait and see” attitude to upcoming legislation.
Challenge #1: Staying Current on Privacy Regulations/Legislation Across Multiple Jurisdictions
While a lot of attention has been on new legislation coming from across the U.S. and around the world, it is important to note that regulatory bodies are also updating existing laws on an ongoing basis.
Solution: This is one area where a software tool can be a big help in keeping up to date on laws and regulations in relevant jurisdictions. A research tool that pushes knowledge to you on relevant cases, legislation, regulatory activity and customized priority topics should be able to easily alert you to areas where your current program or compliance activities need adjustment as well as provide insight into potential areas of future risk to your business. This can save countless hours of research time from internal resources and, more importantly, it can save the cost of paying outside counsel to determine compliance activities.
Challenge #2: Embedding Privacy Responsibility into the Business
While privacy has become a more integral part of business planning and strategy, more than half of privacy professionals rated their business’ privacy knowledge at moderate to very low. Employees outside of the privacy charter may not only lack general awareness of internal policies and procedures, but also of the privacy landscape generally, and thus the impact and risks a lack of privacy compliance can pose to the business.
Solution: Using business-friendly language (not technical privacy “legalese”), articulate the roles and responsibilities of each business, priorities for compliance, the rationale and the impacts to the business if they get it wrong. Leveraging tools and methodologies that use the language of the business is an effective solution for clearly outlining privacy management activities that need to be implemented and documented. It also highlights any cross-functional dependencies to be considered in executing their privacy compliance tasks on an ongoing basis.
Challenge #3: Taking a “Wait and See” Approach to Compliance
The evolving privacy landscape from a regulatory perspective is murky and unpredictable to say the least. While overall, we are seeing an increased sense of urgency from organizations, particularly as it relates to upcoming California Consumer Protection Act (CCPA) compliance, there are those that are opting for a “wait and see” approach and delaying compliance efforts until ambiguities in the law are clarified and the amendment process is completed. If the GDPR taught us anything, preparation is critical and the longer organizations wait, the harder it will be to meet compliance timelines, creating risk to your business.
Solution: The U.S. is not unique in introducing consumer data privacy rights. Approximately 113 countries and regions have data subject rights requirements as part of their laws. Many rights are common around the world and figure in well over 100 laws. These include transparency rights, correction requests, the right of access and right of deletion. Although there will be nuances from state to state (and even country to country), the core consumer rights around access and deletion will be the common denominator in the CCPA and other state and global laws – and the perfect place to get started.
Getting Started: Lessons from GDPR
If your company is required to be GDPR compliant, you likely already have key foundational elements that can be leveraged in CCPA compliance and other state laws dealing with data subject requests. For example, under Article 30 of the GDPR, you would have had to complete a record of processing activities (ROPA). Capturing the purposes of processing, categories of individuals and categories of personal data for GDPR can also be repeated for compliance with the CCPA, even though a full inventory is not required by law. You can easily extend your ROPA established under the GDPR to cover CCPA-specific elements, such as whether the data is sold to third parties.
Even if you have not completed this exercise for the GDPR, this is another great place to start preparing for state legislation, as it gives you the ability to communicate to the business in a language they will understand, simplifying the process of identifying the data, the purpose and what data they need for the purpose of processing (for example, payroll and benefits).
In preparing for CCPA and other state or global privacy regulations, corporations should not adopt a “wait and see” approach. Leveraging research tools to stay on top of legislative developments in near real time, engaging with the business in a conversation about risk in a language they can understand and taking advantage of the work you have done to address common denominators in data subject rights can go a long way in mitigating risk for your organization and, ultimately, minimizing your time to compliance.