Is privacy easy to operationalize?
It’s been four years since the passing of GDPR made data privacy a key issue in global business conversations. Initially, many U.S. businesses were focused on getting their arms around the “what”—understanding what was required of them under GDPR and similar regulations. Starting in 2018, with the GDPR enforcement date and the enactment of CCPA, revised privacy notices and consent documentation filled our digital existence. But this was not enough.
Having spent decades helping Fortune 100 companies with enterprise architecture, large-scale systems integration and end-to-end data initiatives, we focused on the “how”—how to operationalize individuals’ new rights to control their personal information in an environment where many enterprises viewed data as “the new currency,” and most legacy information architectures were created with siloed lines of business, resulting in siloed data sets and data lifecycles. Thus, the challenge: how to operationalize enterprise data privacy programs in the traditional siloed enterprise architecture.
Fast forward to 2020. As we work with Fortune 100 companies that are trying to centralize and operationalize their data privacy programs across siloed lines of business, we often see gaps between the data privacy officer’s (DPO) vision and the ways different lines of business (LOBs) implement the guidelines they have received.
In other words, the DPO has a clear vision of data privacy readiness—the “what”—but LOBs are sometimes on their own to figure out the “how.” As a result, we’re seeing a lack of uniformity in how the DPO’s vision of the data privacy program is operationalized across the organization.
Besides losing customer trust for inconsistent data handling practices, the operationalization gap can be expensive. Companies are being penalized not only for high-level infractions, but also for operational issues. Here are just a few of the large GDPR fines:
- Failure to restrict access to personal data (hospital in Portugal)
- Inadequate protection against data breaches (British Airways)
- Failure to adequately perform privacy due diligence in M&A activities (Marriott, in its acquisition of Starwood Hotels)
Here in the United States, even without a comprehensive federal privacy law, Facebook received a $5 billion fine from the FTC for violating consumers’ privacy by allowing improper access to personal information and failing to monitor third-party developers’ use of personal information. Over 60 privacy lawsuits have been filed in California and other states alleging CCPA violations, some as a direct cause of action and others as a basis for violations of other California laws, including negligence and laws governing unfair competition and health information.
The data privacy “vision gap” is real, and organizations must address it if they are to achieve and maintain data privacy readiness at the operational level.
In our discussions with siloed organizations, we see the data privacy vision gap resulting in two major challenges.
Lack of consistency
In many organizations, each LOB is approaching data privacy and protection differently with regard to its own (siloed) data sets. Granted, some LOBs are unique and require a discrete approach, but even in these cases, the approach must align with the DPO’s objectives even while it is being tailored to the business.
There is also the issue of differing levels of data privacy maturity across the various LOBs. Some are unclear on basic concepts, such as what constitutes personal information under the regulations—not realizing that the regulatory definitions of personal data are far broader than what most intuitively think it is. A more complex issue is how to overlay the internal data privacy program guidelines into the day-to-day data use and the ability to continue pursuing the LOB’s business goals.
Difficulties maintaining readiness
The other challenge that we see is in maintaining a state of data privacy readiness even if the LOB has a clear understanding of the full lifecycle of personal data. Many triggers, both internal and external to the business, can alter the data privacy ecosystem. Technology innovations, for example, may enable uses of data that differ from the uses specified in the organization’s consent documents or the original basis obtaining the personal information. New service providers and data processors may be engaged, requiring alterations to the organization’s data map. Also, as the COVID-19 quarantine now requires many employees to work from home, new uses of technology can affect the ongoing accuracy of system inventories and data flows. Additionally, the regulatory landscape is always evolving, so being in a state of readiness one day may not mean that it holds true the next.
The way forward
Fortunately, businesses with a traditional, more siloed architecture need not implement major organizational changes to operationalize their data privacy programs. Here are some of the solutions that have proven successful in our work to help companies bring their LOBs in line with their DPOs’ visions of data privacy readiness.
Establish alliances between the DPO/legal, business, data management, and technology teams
In many organizations (at least here in the United States), the need for data privacy readiness has shone a spotlight on long-standing issues concerning information governance that touch on enterprise architecture and individual LOBs. Remember, “personal data” is just a subset of data. Businesses that have implemented master data management have already done some of the legwork necessary to operationalize their privacy programs, although data privacy readiness requires a broader definition of data subjects and of personal information. Some organizations have designated “privacy ambassadors” or “privacy champions” embedded in lines of business to improve communication and alignment with the DPO’s objectives. Ongoing training can help, particularly with solutions like gamification that can keep employees engaged and improve retention of information.
Leverage—but supplement—data privacy management software where appropriate
While no single tool can adequately cover the entire spectrum of privacy readiness, some data privacy management solutions can be effective in certain areas, such as providing basic data inventories and data maps to serve as a starting point. Even so, these tools are no substitute for personal interviews with business users who understand and interact with data sets on a regular basis. The interviews capture the business objective of data—what is being used and why. No matter how good a data inventory and mapping tool is, it will not be able to capture the business objectives of the data usage. The interviews also will uncover unstructured data and manual processes/data assets that may be missed by tools, including paper forms and other non-electronic information assets that can cause confusion about how to integrate those sources with the digital information flows. Tools also can be useful in helping to control access to digital personal data and ensuring that users have access only to the information necessary to do their jobs. For non-digital assets, businesses will need to implement physical access and security precautions.
Start at the point of intake …
Even large organizations have a limited number of LOBs that take in personal data, and those points of intake make good starting points for operationalizing your data privacy program. GDPR requires some organizations to create data privacy impact assessments (DPIAs) and Records of Processing Activities (RoPAs), and even when not required, these evaluations can be insightful in helping you understand what data is being collected, from whom, and why; where it is stored; who needs/has access to it, both inside and outside the organization; and how and when it is destroyed when no longer needed. The DPIA and RoPA will also be an invaluable reference when new data privacy laws are enacted.
Again, we stress the importance of conducting interviews with the individuals using the data, including third-party vendors and service providers, instead of making assumptions. Only then can you get a clear picture of the data intake process—including unstructured data such as information from paper forms—and how it impacts your data privacy program.
Starting at the data entry point also offers the opportunity to apply the principles of data minimization at the very beginning of the data lifecycle, and to understand how consent is being obtained and which uses of data are covered. Organizations can also begin establishing a cadence to their governance, determining how they will accommodate new data, new uses, new access, and new third-party processors and service providers into their data privacy programs.
… then move on to internal and external data consumers
Once the organization has a grasp on how personal data enters the organization, the next logical step is to find out how and why it is used and shared internally and externally. This step requires information—obtained via personal interviews whenever possible—from lines of business further down the data pipeline and from third-party processors and service providers. These insights enable you to create a complete picture of how data flows inside and outside your organization, providing the DPO with a valuable resource for making centralized decisions that affect all lines of business. Once each LOB has a complete picture of the full data lifecycle within its business unit, this information can be rolled into a single view so that the enterprise can monitor that data processing is consistent with its guidelines. These individual LOB and combined data lifecycle pictures can then be rolled into an executive dashboard for LOB Risk Assessment measuring LOB risk score, requests for access to data sets and other key measurements. The dashboards can be a useful tool for process optimization to reduce manual efforts of data privacy maintenance by creating templates to streamline all potential processes.
Data privacy teams can lighten the administrative load that comes along with operationalizing and governing their data privacy program and maintain readiness at scale by fully automating repeatable tasks. This streamlined readiness will allow LOBs to focus on their day jobs. Here are a few use cases where automated solutions can be effective:
- Surveys for discovering whether new data or existing data is being used in new or different ways than originally identified
- Workflows for approving access to data
- Risk rules and audits for third-party vendors
- Notifications and reminders
- Flags for situations that require investigation by the DPO’s team
Once the data privacy program has been operationalized, the governance committee is responsible for ensuring that data privacy readiness can be sustained. Ideally, the committee comprises at least one representative from every area that handles personal information, with an appropriate meeting cadence to ensure adequate oversight. Its ongoing responsibilities may include
- Evaluating survey results to monitor compliance among LOB and determining whether further investigation is warranted
- Monitoring third-party data processors and service providers
- Ensuring that data privacy reviews are conducted as part of M&A due diligence
- Monitoring for external triggers that can impact privacy readiness, including new regulations, judicial clarifications of existing laws, and technology innovation
Data protection regulation has been evolving for years, and the evolution will continue. Here in the United States, we’ve only begun to scratch the surface of cross-industry privacy regulations, and more legislation is on the way. The California Privacy Rights Act (CPRA, also known as “CCPA 2.0”) is slated to appear on the state’s November ballot; if it passes, it will elevate data privacy to a human right in the United States, much like the EU has done, placing additional requirements on organizations who do business with California residents. Many other states have privacy legislation either on the books or in process, and federal representatives are continually proposing privacy bills.
As data privacy regulation grows, so does consumers’ awareness of how their personal data is being used. Trust is becoming an increasingly important factor in consumer decision-making, and customers will not hesitate to sever ties with providers who handle data irresponsibly.
If businesses are to keep up with the demands of both regulators and consumers, having a comprehensive data privacy program on paper is not enough. DPOs and their teams must work with internal lines of business and external service providers to ensure that data privacy is operationalized down to the smallest detail—and that governance is in place to maintain readiness in a continuously evolving environment.