New data privacy regulations could mark the chief data officer’s time to shine
Amendments to the California Consumer Privacy Act (CCPA) resumed their faltering advance in mid-August, when the California legislature returned from its summer recess. But with just less than one month to go now until the CCPA comes into effect on January 1, 2020, and with other states including New York and Nevada promising similar legislation of their own, the financial services sector remains mired in confusion over how comfortably new consumer privacy rules will sit alongside existing requirements around good record-keeping.
One thing is clear: it will take strong leadership and significant expertise to navigate what looks certain to be an interpretative minefield. In this respect, now could be the chief data officer’s (CDO) time to shine.
A particular point of contention is the new right that the CCPA and similar legislation introduces for consumers to demand that a company deletes all the personal information it holds on them – the ‘right of erasure’ or ‘the right to be forgotten.’
This will likely present operational challenges for financial institutions (FIs), obliging them to identify all the personal information they hold on an individual and destroy it – but without compromising their compliance with other rules on data retention or undermining the integrity of other data and records that they hold.
There will be much work to do here and, at most FIs, the CDO will likely lead the charge. But for many, their first task may be convincing their seniors that their organization needs to comply at all. Many finance leaders are still clinging to the hope that the Gramm-Leach-Bliley Act (GLBA) will continue to offer them a blanket exemption from new privacy laws, but most legal advice points to far more complex scenarios.
While the CCPA, for example, certainly contains a limited exception for GLBA-covered entities, it is not a general exemption. And since the scope of the CCPA is much broader than that of GLBA, there are likely to be significant gaps between exempted information and the full record of personal information that a bank or similar collects on a customer. Those gaps will need to be painstakingly identified and documented.
In addition, the way that personal information is defined is far looser under CCPA than it is under GLBA, and includes any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably linked, directly or indirectly, with a particular consumer or household…” Again, picking a safe path through that definition will take considerable focus and expertise, as will exploring the numerous legitimate grounds for refusing a data subject’s request.
These are the sorts of tasks for which CDOs in the finance sector are well equipped to take on. After all, the role emerged after the 2008 financial crisis in order to help institutions to meet new standards for data quality, transparency and regulatory compliance.
In more recent years, the role has evolved and expanded to include helping their organizations get more business insight and value from the vast volumes of data they store, with the adoption of artificial intelligence and other sophisticated analytic approaches. While that remains important, the data privacy challenge ahead is forcing a renewed focus for many CDOs on their original mission of compliance in general, and privacy in particular.
In a recent survey of CDOs conducted by consulting firm NewVantage Partners, presented at the recent CDO and Information Quality Symposium held at MIT, respondents were asked to identify their data priorities for 2019. Privacy came top of this list, cited by 99% of respondents and, notably, ahead of cybersecurity, cited by 94%. Third place went to data ethics, cited by 56%. Of the CDOs polled, the majority (74%) were drawn from the financial services industry and were drawn from organizations including Bank of America, JP Morgan, Credit Suisse, Morgan Stanley and Deutsche Bank.
However, this focus must be backed up by adequate resources if CDOs and their teams are to deliver on the twin goals of identifying all personal information held across all systems of record used by a FI, and developing processes that will allow them to quickly capture and retrieve that information in response to a customer’s request.
Given the complexity of today’s banking systems, and with the deadline for CCPA fast approaching, a strategy based on ‘throwing bodies at the problem’ is unlikely to prove a match for this challenge. Instead, CDOs must be supported in the search for new, technology-based approaches they will need to steer their organizations safely through what promises to be a compliance landscape littered with unfamiliar new hazards.