As privacy regulations continue to increase, compliance has become a pervasive and very real concern for nearly every company. As more venture down the path toward compliance, they’re finding it’s truly a team sport. It can no longer just be relegated to the legal team. Compliance has to involve multiple skill sets across the company and lean on technology to understand risk, automate responses and navigate change management.
How do you prepare for the privacy laws coming into effect in 2023? It involves building the right team, integrating the right technology, and getting a comprehensive view of where your data resides and how it’s being used.
Regulators are also becoming more comfortable with guiding organizations to look into adopting technology for the purpose of complying with privacy regulations.
The intersection of privacy and legal department
As the complexity and number of regulatotry requirements continue to increase, more organizations exploring how to operationalize privacy by automating compliance. In fact, according to a recent Forrester privacy survey of 800 privacy decision makers, 61% said they will be adopting privacy management software to help operationalize privacy, or more specifically, understand and manage the controls on their data.
Another 56% said they plan to invest in consent management software. And while the legal team will always be a part of the privacy conversation, the fact that data infiltrates every aspect of business and that technology has become an integral piece of the puzzle, managing privacy now requires skillsets from other departments like IT and security.
In fact, technical and data skills have become a core part of privacy management. The same Forrester survey found that privacy teams now comprise a cross section of skill sets ranging from business to data science and analytics.
“Technical and data skills are in really high demand with privacy teams,” said Enza Iannopollo, principal analyst at Forrester. “They have to understand the way data flows as well as business application factors.”
Part of achieving this level of understanding also requires a data map.
The role of data mapping
Most organizations are sitting on more data than they may realize. From customer to employment data, much of this sits in repositories in various departments throughout the company and goes unrealized until an incident occurs. But as privacy laws come into effect, unknown data will pose compliance threats. A comprehensive data map will expose these risks before they become an issue.
Data mapping will also prove critical in dealing with privacy requests, which are anticipated to increase as consumers get more familiar with their data rights. There are also several other compliance-related reasons why data mapping is so fundamental, and really a prerequisite for compliance:
- It shapes the content of all required legal notices and policies that have to be in place
- Enables you to effectively manage Data Subject Access Requests (DSARs) –– you need to know where the data is and how it’s being used to respond properly
- Helps activate data minimization and retention rules –– to comply with this, you have to have a data map and understand what’s collected, where it’s retained and how long it’s retained
Though data maps are not necessarily a requirement in every jurisdiction, companies that don’t have them will expose themselves to tremendous risk.
“Some state laws have data mapping obligations, but you simply can’t have adequate data security without a data map,” said Jon Leibowitz former chair of the FTC. “Now the FTC has moved towards strong technological requirements that are prescriptive––sometimes called prescriptive technical safeguards. So, you really do want to get ahead of this curve and data mapping seems like something that whether it’s in the statute or more common sense, you really want to do it.”
Simply put, if you don’t have a data map, you can’t truly understand the risk in the company. So, what should go into a data map? The following are a few questions to ask:
- Can you easily find the data if requested by a consumer, including the data with a vendor or service provider?
- Where a “lookback” is required, can you track when you collected the data and only identify data collected after a certain date?
- Have you identified all uses of the data across all departments? For example, HR may not know what other departments are using employee and applicant data.
- Does your data inventory contain all of the information needed to populate the contents of legally required privacy notices and policies?
The data map conversation inevitably raises the question of whether this can be done manually or if technology is required.
The use of technology in privacy management
In the past, a lot of organizations attempted to create data maps manually. But now that GDPR has been in effect for several years and as more privacy laws are coming into purview, there’s been a continuous shift from manual to automated. Most companies simply don’t want to run the risk of inadvertently overlooking data or failing to account for something that could threaten their compliance.
“If it’s being done manually, that suggests you’re behind the curve. It can raise red flags,” said Leibowitz.
An automated system is more defensible, accurate and scalable for several reasons:
- The average mid-size organization manages upwards of 60 data repositories––structured and unstructured
- The spreadsheet method is time consuming, incomplete and requires frequent updates
- Sending surveys to surveys to SMEs and department heads can result in delays and duplications
The process truly needs to be automated with a consolidated view of the data.
Having an automated and systematic approach has to be the standard if your organization wants to maintain compliance and be able to defend it if an incident should occur.
With automated data mapping, you can:
- Gain access to your structured and unstructured data
- Inventory users’ personal data that’s stored in your business systems
- Determine where data resides and what type of data it is
- Quickly and efficiently respond to users’ DSARs and complete privacy impact assessments
- Identify organizational privacy risk and plan more effectively
Utilizing technology to operationalize privacy compliance is no longer a nice to have, it’s proving a necessity. In fact, many regulatory agents are urging organizations to have technological requirements in place.
“It’s a global trend. We’re starting to see guidance that’s more prescriptive,” said Leibowitz. “And particularly in cases that the FTC and California AG and others have brought, there’s a strong uptick in technological requirements and you want to get ahead of that curve.”
Getting ahead of the curve will also help manage privacy requests, which are predicted to escalate when new laws take effect.
“I think we are going to see that number go up,” Iannopollo said. “When consumers start to become more familiar with their privacy rights and more familiar with the way they need to express certain choices, they like to do so. I think we are going to see an increased number of US consumers asking companies not to sell their information and also asking for their privacy rights.”