With extensive budgets and top-tier legal, compliance, and IT teams at their disposal, large organizations appear to be perfectly positioned to prepare for GDPR, CCPA, and other data privacy laws. Yet a recent survey reveals that, despite high levels of confidence in their preparedness for these regulations, many larger companies lack the understanding of their data lifecycle that an effective data privacy program requires.
The 2019 Data Privacy Maturity Study surveyed 258 U.S. companies with at least 500 employees (more than half have 5,000 or more) to evaluate how they manage personal data in light of new data privacy regulations. About 63 percent of respondents reported being “fully prepared” or “well prepared” for GDPR, while 46 percent said the same of their readiness for CCPA.
Organizations looking to prepare for data privacy regulations must first understand their entire data lifecycle. According to the study, many companies have gaps to fill in this area before they can be ready for compliance:
- Only 23 percent of respondents are “extremely confident” in their ability to accurately define what constitutes personal information — which calls into serious question the actual readiness of respondents who claim to be prepared for GDPR and CCPA.
- Nearly 45 percent need to access 50 or more data sources to get a defensible picture of where their sensitive data resides.
- About 45 percent review their personal data less than once a year … yet of those respondents, 40 percent are “very confident” or “extremely confident” that they know exactly where personal data resides.
Fortunately, organizations can address these shortcomings with sound data management strategies such as the following.
Know what—and whose—data you have
Before organizations can create and implement a personal data privacy readiness initiative, it’s essential that they understand the data involved, which requires clarity on a few key concepts:
- The definition of personal data according to the laws that apply to them
- A comprehensive picture of who their data subjects are
- Where that personal data is stored
- What personal data they are sharing with third parties
While implementing traditional master data management (MDM) can help businesses make progress towards data privacy readiness in terms of defining personal data and who their data subjects are, complying with today’s data privacy laws requires an expanded approach to customer data.
Personal data under GDPR, CCPA, and other data privacy laws extends far beyond traditional notions of “personally identifiable information” (PII) to include online behaviors, dynamic IP addresses, genetic and biometric data, identifiers provided by digital devices and applications, and other details not covered under previous regulations. Likewise, the definition of data subject covers far more than customers. Under current privacy laws, it can also include employees, partners, board members, joint venture partners, vendors/sub-contractors, marketing contacts, and sales leads/prospects.
Readiness for data privacy laws requires an understanding of the business processes involving personal data and the business reasons for sharing it with third parties, both of which require close collaboration between the business and IT.
Integrate your data sources
As the study indicates, personal data in large organizations can be scattered across a huge number of systems — for 13 percent of respondents, that number is 200 or more. If those systems are not integrated, fulfilling obligations under data privacy laws — such as honoring a customer’s request to delete her personal data — can become time consuming and costly.
By integrating cloud-based and on-premise systems that handle personal data, organizations can take an initial step in building a single source of truth that can facilitate responses to data subject requests, consent management, and access control.
Implement a data privacy governance plan
Even if a business implements an effective data privacy readiness plan, reviewing their systems and processes that involve personal data less than once a year, as 45 percent of the survey respondents reported they do, could make much of their hard work obsolete. With organizations and technologies in a constant state of change, implementing a data privacy governance plan may help maintain data privacy readiness.
“Compliance” is a point in time; a company can be in compliance one moment and out of compliance the next. To maintain all aspects of an effective data privacy program, it’s essential to implement and operationalize a governance plan that includes at least quarterly checks for internal and external triggers that could impact compliance status, such as new regulations, new technologies, mergers/acquisitions, new data sources, etc.
Employee training and reinforcement, using tools such as gamification, is also key to ongoing readiness, as all it takes is one mistake from an untrained employee to quickly get your organization out of compliance.
Bridging the gap
Businesses who are preparing for data privacy legislation, yet lack the required foundation of sound data management, could be headed for a rude awakening. Building this foundation — and a governance plan to keep it current — requires time, effort, and resources. The earlier an organization begins taking steps in the right direction, the better prepared they will be … not only for current data privacy laws, but also for future regulations.
Like what you see?
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.
Executive Team member Kevin Moos is recognized for his experience with knowledge management systems. He has lent his expertise to several prestigious industry panels on enterprise content management and other topics.