Making these organizational changes can help keep your company up to speed with the latest data privacy laws in a GDPR world.
The drumbeat of data privacy laws is showing no signs of slowing. When the European Union GDPR landed earlier this year, it sent companies scrambling. Up next is the similarly hefty California Consumer Privacy Act of 2018, which takes effect in 2020. The CCPA will give consumers the right to ask businesses what personal data is collected, to refuse the sale of personal data, and to demand its deletion.
These rules are only the beginning, as a variety of potential U.S. Supreme Court decisions, federal legislation and other state laws stand to upend consumer privacy rules as we’ve come to know them.
“I expect more state legislation. . . . I see a growing appetite for some federal legislation in an attempt to address some of the crucial issues,” writes CA Global Chief Privacy Strategist Christoph Luykx.
The secret sauce isn’t necessarily a high-tech solution; rather, it comes from hiring the right people, giving them the right amount of control and establishing the right processes for dealing with personal data.
Leadership Is Key
A nearly universal recommendation from experts is to elevate consumer privacy to the executive level. In fact, under the GDPR, companies that do business in Europe really have no choice. Gary Miglicco, senior vice president of security for PCM (a data center services provider), says, “Organizations that process significant amounts of private data on a regular basis are required under the GDPR to appoint a data protection officer (DPO). This employee must report directly to executive management and a company’s board, and is responsible for monitoring compliance, advising on all data protection matters, and serving as a single point of contact for regulatory authorities and data subjects.”
While the GDPR does not require every company to have a full-time DPO, most enterprise-scale businesses will qualify under the rules. But even if you don’t, says Miglicco, “many privacy experts recommend that you have such a position anyway to spearhead your organization’s compliance.”
Even if your organization is too small to support a full-time DPO, says Amanda McCluney, product marketing manager at Mertech Data Systems, you still need a single person to be in charge of data protection. “This is because of the accountability factor,” she says. “Leaving each department to its own governance could easily mean that some part of compliance falls through the cracks.”
Get All Teams on the Same Page
Getting all of your department heads onboard with a data protection program starts with understanding where your risks lie, then working to minimize them.
“A lot of organizations hold data in disparate systems, not all of which are under their direct control,” says Sinéad McKeown, VP of product management at Arkivum, a data security company. “Carry out an audit to understand, identify, locate, and categorize all personal data across the organization, then put rules in place to determine the relevancy of all personally identifiable information.”
Establishing appropriate policies and procedures and disseminating them to every department will ensure that the company stores personal data only when it is essential and erases it when it is no longer needed.
Of course, this is hardly a simple process. Says James Goepel, CEO of security consultancy Fathom Cyber LLC, “Creating a data catalog is a monumental task in even a medium-sized company. What I recommend is taking a business-oriented approach that prioritizes identifying certain types of data based on risk.” Credit card and bank account information, for example, should get top attention, because it is so attractive to hackers.
Prepare for Disaster
Once you’ve designed and implemented your data protection program, your work still isn’t done: If a problem arises, the GDPR mandates that you report the security breach to law enforcement and your users within 72 hours of discovery.
“A security platform with real-time alerting capabilities can be a big help here in initiating a response and issuing the required notifications,” says Miglicco. “The best incident response is a planned response—rather than one made up while you’re responding to an incident, where you’re bound to get it wrong. Your plan should cover what actions to take following a breach, who oversees those actions, who to contact, how to keep the business operating, and whether alternative sites will be needed.”
It’s tempting to turn to technology to solve the increasingly complex problems around compliance and personal data protection, but the pros agree that could be throwing flames at the fire. By establishing clear data protection leadership, creating well-understood policies, and building a robust disaster plan, you’ll be well positioned to take on the new challenges in this sector, whatever new rules come down the pipeline.