How organizations need to react to new data privacy challenges
With all of the attention now being paid to data privacy, many Americans are wondering who's looking out for their personal information online and many organizations are seeking clarity around meeting compliance regulations and preparing for future changes.
To help answer those questions, Information Management spoke with data privacy expert Scott Giordano for his advice on how companies and brands should be approaching data protection. Giordano has been an attorney for more than 20 years, is an IAPP Fellow of Information Privacy, and currently works as vice president of data protection at Spirion.
Information Management: 2018 was a very busy one on the data privacy and data protection front. What do you see as the most significant events we can see in 2019 that will impact these topics?
Scott Giordano: Enforcement of the EU General Data Protection Regulation (GDPR) by EU supervisory authorities will likely have the most impact, given that data controllers will prioritize data protection efforts based on the severity of the sanctions for violations. We’ve already seen a €50M fine levied by the CNIL against Google for GDPR-related violations, and undoubtedly that’s going to shape data protection practice in the U.S.
IM: What do you believe are the events or factors that are most affecting attitudes and strategies around data privacy?
Giordano: The daily stream of reports of data privacy violations and breaches has the biggest impact on attitudes and strategies. This is so because those reports come from such a wide variety of sources and circumstances – hotels, wireless providers, social media – that no one can assume they’re safe.
IM: What data privacy and protection regulations are in the works that may be a surprise to many organizations and what is behind them?
Giordano: Far and away, the California Consumer Privacy Act or CCPA is going to be a surprise to many, much like the GDPR was – there’s nothing like it on the horizon. It is extraordinarily complex and will likely affect just about every company doing business in California. Originally, the substance of this statute was a ballot initiative but the author pulled it at the last minute in exchange for a law drafted and passed by the state legislature. We’ll see whether that was a good idea.
IM: On a government level, what actions do you see lawmakers taking around data privacy and protection in 2019, and what would you like to see that they probably won’t do?
Giordano: In 2018 we saw the Insurance Data Security Model Law, which was developed by the National Association of Insurance Commissioners (NAIC), adopted by South Carolina, Ohio, and Michigan. I believe we’ll see another 10-15 states adopt their own version in 2019, and effectively it will become a default national standard, at least for insurance carriers. What I would like to see (and what lawmakers probably won’t do) is establish data privacy as a fundamental right and pass legislation accordingly, which is essentially what the GDPR does.
IM: On a corporate level, what data privacy and protection trends do you see most prominent in 2019?
Giordano: Development of inventories of personal data is likely the biggest trend, given how important they were to GDPR compliance in 2018 and how important they’ll be for CCPA compliance this and next year. They’re sometimes called “data maps,” and they’re crucial for understanding where personal data is located in an organization down to the server level, how it’s being protected, and with whom it’s being shared.
IM: How can chief data officers and those in charge of data management best involve employees throughout an organization in applying best practices to data privacy?
Giordano: The best data protection technology ever invented is an alert employee. The best way to get alert employees is through routine training in best practices. That include topics such as: what qualifies as personal information, how to recognize phishing and similar attacks, and who to ask when you have questions. I believe the majority of employees understand the gravity of the threats to personal information and expect their employers to acknowledge this and act accordingly.
IM: What is your advice to organizations on the top three things they should be doing to best comply with data privacy mandates and regulations, and with customer and shareholder expectations?
Giordano: The most important thing to do is make data protection a board-level concern. I can tell you based on my own experience that when something is important to the board, it’s important company wide.
The New York Part 500 financial regulations, for example, mandate a security program, a CISO, and periodic briefings to the board by the CISO. That will have an impact.
Second on the list to have someone in charge of the data protection program; that could be the CISO, but it also could be the chief privacy officer, chief compliance officer, or an associate general counsel. Ultimately, there needs to be someone with ultimate responsibility for data protection operations on a day-to-day basis as well as for any failures in the data protection program.
Finally, there needs to a data protection program – that includes a data classification system, policies, and technology to implement it, as well as periodic testing to make sure it’s working. Data protection programs are neither cheap nor easy, but they will protect the organization over the long term.