When the EU first passed the GDPR, some U.S. companies treated it as a “one and done” occurrence, never expecting to see comprehensive data privacy legislation on this side of the Atlantic (or anywhere else). As a result, many took the approach of simply segmenting their European data subjects, some even going so far as to move their EU resident data to completely separate systems. Then along came CCPA, and they had to start all over again.
Today more than 100 countries have data protection laws, and a majority of U.S. states are regulating some aspects of data privacy, with several looking to emulate California’s more comprehensive legislation. In a world where data privacy has become the new normal, survival depends not on “complying with this law or that law,” but on adopting an integrated strategy, as we discussed in a recent webinar with our partners at ASG Technologies, A Framework for Data Privacy Survival.
When we asked our webinar attendees which data privacy regulations they are currently focused on, we were pleased to see more than one-fifth of them (22 percent) respond “All of them!” By seeing data privacy as a comprehensive issue rather than a matter of complying with individual laws, these organizations are well positioned to adopt the integrated approach that will provide the flexibility they need to adapt to future requirements.
Laying the foundation
While every data privacy regulation differs slightly from the rest — for example, in definitions of personal data or in approaches to obtaining consent — all have one thing in common: providing transparency to your data subjects in terms of what personal data you have and what you are doing with it. And you can only be transparent if you first understand yourself what data you have, where it is, and how and why you’re processing it.
Data management is the foundation for a successful data privacy program, and there are several ways to go about it, depending on the size and complexity of your organization. The first step is finding out what data you have and where it’s located, which can be done either manually, using a data discovery tool, using surveys, or leveraging a combination of methods. Unfortunately, many companies stop there instead of moving ahead in documenting how and why they process personal data.
When we work with clients on data privacy, we implement a step-by-step process that encompasses several key outputs, including system architecture diagrams, data flow diagrams, and a record of processing activities (ROPA) documenting how and why they process personal data. GDPR specifically requires the ROPA, but whether GDPR applies to your organization or not, you will still need this documentation to be transparent with your customers and to respond to regulatory inquiries.
With these outputs in place, the organization will have the insights they need to move forward with requirements such as updating privacy policies, revising third-party contracts, and implementing procedures for accommodating data subject rights (such as the right to access or the right to be forgotten).