Why data privacy professionals need a new approach to compliance
Over the past several months, we have seen organizations implement and operationalize their EU General Data Protection Regulation privacy programs. Other governmental entities have followed suit by declaring their own data protection regulations, such as with the California Consumer Privacy Act, Brazil’s Lei Geral de Proteção de Dados Pessoais and Vietnam’s new cybersecurity law.
You may be wondering, how do I prepare my organization to be compliant with these new laws, while also experiencing privacy compliance fatigue, unsure what it will take to become compliant with these new laws. It is common to have concerns that your data privacy program is not agile enough to meet these new laws, that the regulators will find gaps in your program, or that a data breach will expose customer personal data.
In reality, this might be the time to change your mindset from a compliance, check-the-box approach to a risk-based approach to meet all of these standards. There are common requirements that span several of these privacy laws and data protection regulations. If you begin to embrace these common requirements, you will be better prepared to help your organization become compliant.
Some of the more common requirements include:
Data inventory and mapping
Most of these privacy laws and data protection regulations expect that your organization know what personal data is being collected, how the personal data is being collected, why the personal data is collected, and what different technologies are processing personal data.
For some organizations, this is a daunting task due to the size of the organization and the number of technologies that are used across the organization. There are two approaches to accomplish this task.
The first approach is a manual approach to identify and document personal data across your organization’s technology environment. This approach requires a significant amount of time to validate the data inventory and mapping.
The second approach is the automated approach using data discovery and scanning tools to develop your data inventory mapping. This approach uses less effort to validate the data inventory and mapping, but could potentially miss shadow IT in your organization. If you take this approach, you may still need to ask the business units if they use any technology solutions that fall outside of the IT environment.
Retention and disposal
Most organizations have already implemented a data retention and disposal policy and a retention schedule. Many organizations have already updated these two documents for GDPR; however, most organizations have difficulty disposing of data, even if they have an updated retention schedule. Enforcement of your retention schedule and disposal of the data is critical to the success of your privacy program.
For most people that perform risk assessments, you identify risks from the perspective of the organization. Your assessment determines how the risk impacts the organization. However, as we have seen with GDPR, the risk assessment has shifted from the organization to the data subject. The PIA/DPIA should focus on the data subject.
Data subject requests
Organizations must be able to manage and execute data subject requests such as requests for access, correction, deletion, profiling, etc. This task is complex, as not only do you have to manage the intake, but also validate the identity of the data subject and complete the request in the allocated time. This is a task that could benefit from automation to manage the intake and fulfilment of the request.
Again, everyone will have their own approach, but these privacy laws and data protection regulations have transformed how organizations operate – specifically how business units like marketing, sales, and human resources collect, use, share, protect, and dispose of personal data. It’s important to build sustainable processes to cover these common requirements, as they will become the fundamental backbone for your privacy program to meet the demands of future privacy laws and data protection regulations.
The role of a privacy professional is truly becoming a multidisciplinary practitioner, with knowledge of privacy, technology, and cybersecurity essential to understand how privacy risks impact your organization. If you continue to check the box for compliance, your organization may not become agile enough to meet the growing regulatory environment of privacy and data protection.