2 steps to focusing on privacy

With the California Consumer Privacy Act (CCPA) coming into effect on January 1st, this may very well be the year privacy compliance tops the list of priorities for many organizations.

Of course, this is not the first time privacy has been in the news in recent years. In 2018, the EU’s General Data Protection Regulation (GDPR) shook the world and gave us a taste of the changing expectations for data security and privacy. Since then, several U.S. states like Vermont and Nevada have introduced data privacy protections for their residents.

Still, CCPA is probably the most comprehensive privacy legislation so far in the U.S., and it is definitely not the last one we will hear about – numerous states are exploring their own new privacy legislation to follow suit. Additionally, recent and upcoming cybersecurity-related acts from New York, Massachusetts, Oregon, Texas and many other states also impact considerations for how organizations store, access and handle private data.

So, how do you not just survive, but thrive in this new reality?

Step 1: Change your mind(set)

Most privacy legislation is rooted in the core principle that no organization “owns” an individual’s personal data. This, of course, is at odds with decades of actual business practices – we’ve become accustomed to thinking of individuals as “our” customers, patients, students or constituents, and any of the data we collect on them as “our” data.

In fact, most organizations would probably count customer data as one of the most valuable assets they own.

Rather than thinking of ourselves as owners or this data, privacy regulations instead want us to think of ourselves as its temporary custodians or keepers. Just as you are a temporary keeper of a rental car, a hotel room or those bowling alley shoes, similarly, your organization is temporarily using the individual’s private data to accomplish a business purpose. And, just as with those items, you are expected to take reasonable care with personal data, protect it from undue harm and relinquish control once you are done.

Sounds simple, but getting there will take some doing.

Under today’s regulations, personally identifiable information (PII) is not only Social Security numbers and financial information. It is also email, mail and IP addresses; usernames and passwords; GPS location; health information; behavioral and affinity data; and any other data that can be associated to the individual. To properly identify and manage all this data in a compliant way will likely require a cultural shift, education and re-evaluation of existing processes in your organization.

Step 2: Get the right tech

Privacy regulations are not about technology – they are about processes. As such, there is unfortunately no “magic app” that will instantly make your organization compliant.

However, technology is a necessary part of the solution – the sheer volume of data and the regulatory requirements make it impossible to manage privacy compliance manually.

You may already have a capable and secure repository solution, which is a great start. But simply having good storage and retrieval is not enough when it comes to meeting the demands of new privacy regulations.

Here are just some of the additional capabilities you may require to stay compliant:

  • Automated retention and disposition policy management
  • Records request processing
  • Enterprise search for PII discovery outside your core systems
  • Customer communications/notifications management
  • Analytics and reporting to prove compliance

Keep in mind that privacy regulations are different for each state, so you may have to do all of the above across the different requirements based on each individual’s home state.

 

Are you ready to expand your privacy compliance toolkit?

Check out our resources and technologies that will help you along the way.

Dennis Chepurnov

Dennis Chepurnov

Dennis is an enterprise technology evangelist with over 15 years of experience in helping organizations improve business processes through better information management. In his current role as the Principal of... read more about: Dennis Chepurnov

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.