Why a data privacy strategy is vital for 2019
If you keep up with business and technology news, you probably encounter stories about the importance of data privacy on a daily basis. Protecting personal information is the new normal, and personal data privacy will be the most prominent issue affecting how businesses gather, store, process, and disclose data in 2019. Gartner includes data ethics and privacy on their list of the top 10 strategic technology trends of 2019, placing it on the same level as AI-driven development, blockchain, and edge computing.
The effects of data privacy legislation
Now that the EU and the state of California have established precedents for impactful data privacy laws, other countries and legislative bodies—including the U.S. Congress—are enacting or exploring their own options for protecting consumers’ personal information. As these trends continue, nearly every U.S. company will be subject to data privacy legislation in the near future.
The good news is that these data privacy regulations compel businesses to get a handle on personal data — how they get it, where they get it from, which systems process it, where it goes internally and externally, etc. In other words, the new norms of data privacy require proactive data management, which enables organizations to extract real business value from their data, improve the customer experience, streamline internal processes, and better understand their customers.
Why data privacy strategy is essential moving forward
Businesses that continue to ignore data privacy will likely find themselves involved in a costly, time-consuming game of catch-up in 2019. Here are four reasons why.
Reason 1: New Laws on the Horizon
Today the U.S. Congress is considering three federal data privacy and protection laws, and this year several states, including Colorado, South Carolina, and Vermont, passed their own legislation, with others states following suit. Some companies that are not covered by either GDPR or CCPA may believe that they can now relax, but if current trends continue, nearly every U.S. company will probably be subject to some kind of data privacy legislation in the near future.
Businesses also cannot rely solely on geographics to determine whether data privacy laws apply to them. Any for-profit U.S. business with a website, for example, almost certainly collects personal data of California residents who visit their site, and it is therefore subject to CCPA if it meets any of the three threshold requirements (over $25MM adjusted gross income; processes personal information of 50,000 or more California consumers, households or devices; or derives at least 50 percent of its annual revenue from selling personal information).
While each law contains some unique specifications, we recommend a top-down approach to your privacy program, because the process of laying the groundwork for compliance is the same, and you don’t want to have to revisit it every time a new regulation is adopted. You need to find out exactly what personal data you have, how you gather it, where it’s located, what you do with it, and who (internally and externally) has access to it. Once you’ve completed those tasks, you will have a solid foundation for adjusting business and technical processes to comply with the specific privacy rights each regulation gives to individuals.
Reason 2: Customers (and Business Partners) Are Watching
The Facebook/Cambridge Analytica scandal was a wake-up call for millions of consumers regarding their personal data. Many of those customers are now thinking twice about the companies with whom they share personal data as part of their business transactions. Implementing tighter controls over personal data delivers the additional benefit of building trust among a company’s customers. As Gartner Fellow David Cearley puts it, “Ultimately an organization’s position on privacy must be driven by its broader position on ethics and trust. Shifting from privacy to ethics moves the conversation beyond ‘are we compliant’ toward ‘are we doing the right thing.’”
Consumers aren’t the only ones with a heightened awareness of personal data issues. Potential partners and acquirers will look for assurances that your company handles personal data securely and responsibly before doing business with you, whether you are covered by data privacy legislation or not.
Reason 3: CCPA’s One-Year Lookback Clause
Under CCPA, if a data subject asks a business to disclose the categories of her personal information that it has sold or disclosed, the company’s response must encompass all activity from the previous 12 months. If, for example, a customer calls in January 2020 with such a request, you would have to provide categories of all information sold or disclosed since January 2019. If your company is not currently tracking and categorizing activity regarding the sale or disclosure of personal data to prepare for these requests, now is the time to put those controls in place.
Reason 4: It’s Good for Business
Aligning with data privacy legislation requires proactive data management, which benefits your business on several levels:
- • You’ll create a single source of truth that enables you to streamline internal processes and improve the customer experience.
- • You can better understand which customers are most likely to interact with you and focus your marketing efforts on nurturing those relationships.
- • You can eliminate the costs of storing useless data that your company collected “just in case we need it.”
- • You can make better-informed decisions and start extracting real business value from your data.
Steps to Take Now
With the start of 2019 just a few months away and concerns over the use of personal information mounting worldwide, now is the time to make data privacy a priority. Here are a few steps you can take to prepare your company for the challenges that lie ahead:
- • Evaluate the lifecycle of personal data in your organization — how it enters, which systems process it, where it goes internally and externally.
- • Create a systems map and perform a data process inventory.
- • Create procedures to prepare for requests for access, deletion, and transference to other providers.
- • Ensure that all employees who handle personal information and customer inquiries are trained in the data privacy requirements for your organization and in the proper way to handle customer requests regarding personal data.
Need help with data privacy compliance?
See how Logic20/20 can help.
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.
Follow Jill on LinkedIn
Executive Team member Kevin Moos is recognized for his experience with knowledge management systems. He has lent his expertise to several prestigious industry panels on enterprise content management and other topics.