No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Taking Shelter From the Perfect Data Privacy Storm

Preparing for the Collision of GDPR, CCPA and Global Regulation

by Sandra Erez
November 21, 2019
in Data Privacy, Featured
woman in white trench with red umbrella set against dark stormy skies

Continually evolving data privacy legislation has put three approaching storm fronts on a collision course. Sandy Erez stresses that corporations should chart the unknown terrain to avoid ending up in the public eye of that potential “perfect storm.”

A Legislative Storm is Brewing: Take Shelter Under Your Data Privacy Umbrella Before It Hits

The consumer is king, and we are all subjects – data subjects, that is! But for corporations caught with their data breeches down, the treatment is anything but royal. As one big fish one after another (Marriott, British Airways, Equifax, etc.) is called out for exposing their consumers’ privacy parts, everyone else is scrambling to make sure they don’t become the next breached whale to wash up on the rocky shores, coughing up huge sums of money.

Early Storm Warnings in the EU: Isn’t Everyone Ready?

The General Data Protection Regulation (GDPR) was adopted in April 2016 with the expectation and requirement that it be fully implementable in the EU countries by May 2018. But did that happen?

The truth is, although GDPR splashed onto the EU scene, making huge waves in data protection awareness, it only had a ripple effect when it comes to responsiveness and readiness in meeting the practical side of this compliance challenge.

According to a McDermott and Ponemon Institute survey, despite making investments to bring on data protection personnel and implementing new business practices, only 18 percent of companies surveyed were highly confident in their ability to communicate a reportable breach within 72 hours – and that is just the EU!

It seems the soft underbelly of the GDPR beast is the the reporting requirement that remains difficult to get right. Apparently, neither over-reporting nor under-reporting to regulators is a good thing, and mandatory reporting to data subjects might just lead to increased class-action litigation. It appears that the foggy atmosphere is forcing people to tread cautiously to avoid unforeseen financial and reputational sinkholes.

Reading the “Whether” Maps in The United States

On the other side of the world, in hot pursuit of similar legislation, the United States is also watching the “whether” – meaning whether or not pending bills will pass. Not willing to wait for a federal law to be drafted and passed to fit one and all (a seemingly impossible feat), states are bypassing the government dingy and ferociously pushing their own data privacy agendas ahead.

Presently, around 25 states have privacy laws (dealing with government and private entities or both) – with hundreds more bills brewing in the clouds of Congress. Only when the legislation rains down will their fate be decided – so when and if these bills are passed, U.S. companies will need to navigate through city, state and potentially federal laws for their legal obligations with regard to notices, transparency, information security, data subject rights and more.

At the same time, their own terrain is rife with legislative landmines that could momentarily explode. U.S. companies will need to hold on to their hats, because the gales of GDPR are also at their back! Two storm fronts are colliding… which brings me to the next and third key storm front: ecosystems.

Global Forecast: Cloudy with a Strong Chance of Uncertainty

No good meteorologist will prepare their local forecast without first examining global activity, and that goes for data privacy storm chasers as well. Most companies in our global, data-centric economies now operate as “extended enterprises” in that their data tributaries are criss-crossing any number of local, national and international borders. Uncertainty as to how the pieces fit together, along with the continuing uptick in regulations, will precipitate difficulties in being able to work with clients, suppliers and contractors, each in their own data regimes.

This is no tempest in a teapot – just stir China’s Cybersecurity Law with a sprinkling of the California Consumer Privacy Act and serve it to the GDPR-brewed U.K. … and you get the picture. You don’t want to wade through that legislative swamp without a guide. And it’s only going to get more complicated.

Minimize the Damage as You Would for Any Storm: Batten Down the Hacks and Prepare

Now that the covert uses of corporate data have been sprung from lock and key, boards and management are quaking in their boots, (or galoshes and wellies, depending on their location), knowing there is no way to stem the tide of oncoming legislation. The following are some protective measures to minimize the risk:

  1. Board up Your Data Privacy Windows – Board members need to have a direct window into the risk elements pertinent to extended enterprise operations, including knowledge of the level of controls at third- and fourth-party entities. Moreover, now that risk comes with personal liability (lawsuits have been filed against directors and other individuals), board members and management must be trained properly on the topic, as well as being privy to clear, understandable reporting on the situation.
  2. Use Ethics as Your Guiding Light –There is no doubt it will be difficult to maneuver through hundreds of U.S. and global data privacy laws. One way to cut through the fog might be to to shift the company’s sights from being compliance-driven to ethics-driven. Doing right by the customer should fit with any legislation, whether it be baseline or comprehensive (prescriptive), rights-based, risk- and harms-based and/or accountability-based. Anchoring business practices in ethics and brand values will ensure internal and external human interests are equally balanced.
  3. Double-Check Your Technology – If you are developing products, remember that privacy by design will over time become synonymous with product excellence. That means including considerations for owning the data life cycle and documenting the associated risks. If you are procuring technologies – bots, for example – make sure you have a clear understanding of the data risk profile before implementation.
  4. Collaborate and Data Map – In order for decision-makers to understand the full consequences of both utilizing and not utilizing data, it is critical that all relevant stakeholders and departments (legal, security, senior management, IT, business, etc.) share, assess, consult and collaborate between themselves. This also includes knowing where company data lives, how it flows, what you are doing with it and why you have it.

Storm Warnings are Elevated and in Effect: Take Action

The word is out: Consumers, no longer blindly loyal to their brands, have taken up the cause of data privacy, and it is their advocacy that is driving the laws and regulatory changes. If the news is any indication, corporations dragging their feet in comprehending the severity of not knowing their way around the data privacy landscape will continue paying for it heavily.

You want to be safe? Get familiar with your data vehicle (it might be your lifeboat!) and always expect the unexpected legislation to fall from the sky.

And keep your breeches buttoned tight.


Tags: California Consumer Privacy Act (CCPA)GDPR
Previous Post

From #MeToo to #SpeakUp

Next Post

The 3 Final Pillars of the Cognitive Risk Framework

Sandra Erez

Sandra Erez

Sandra Erez is Director of Global Compliance at VinciWorks, a leading provider of risk-based compliance training and software solutions. Recognizing that organizations need to go beyond ‘tick the box’ compliance in a global and highly dynamic regulatory environment, VinciWorks is on a mission to reinvent the impact that best practice compliance solutions will make in solving real compliance issues in real time.

Related Posts

todd snyder runway show scarf

Lessons Learned: Todd Snyder CCPA Enforcement Action

by Richart Ruddie
May 29, 2025

Third-party risk, overcollection of data and lax training all cited by California data privacy enforcer

federal trade commission building

[Q&A] Big Tech & Free Speech Under the Microscope: FTC’s New Direction

by FTI Consulting
April 28, 2025

What compliance teams need to know about the changing approach to consumer protection and data privacy

data governance concept

The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening

by Brian McGinnis and Maddie San Jose
April 16, 2025

Despite the absence of comprehensive federal privacy legislation, American businesses face mounting regulatory pressure from multiple directions. Brian McGinnis and...

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

Next Post
double exposure of android bust over binary code

The 3 Final Pillars of the Cognitive Risk Framework

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights