Efforts to protect consumer data took a leap forward with the January 1 enactment of The California Consumer Privacy Act (CCPA). California, as one of the world’s largest economies, is officially the first state to pass comprehensive legislation around consumer data privacy protection. The CCPA follows in the wake of Europe’s well-known General Data Protection Regulation (GDPR), but so far, no other states have enacted similar legislation.
While CCPA may be an anomaly in the United States for now, it’s widely believed that it and other legislation like it will result in even more regionalized legislation around consumer data protection. Increasingly, consumers are demanding to know who has their information and how it’s being used. As companies begin to witness the impact of penalties and fines related to non-compliance with GDPR — and as you consider what legislation may be on the horizon— it’s smart to consider what this means for your business.
Organizations can help mitigate the challenges brought on by future legislation by ensuring that all data strategies are focused on security. Instead of reacting to each piece of legislation as it is enacted, organizations should instead be considering privacy and data governance in every aspect of their businesses and making key decisions with data protection in mind.
What is driving new legislation?
Much of the new legislation we’re seeing is borne out of the chaos of increasingly larger and more frequent data breaches — and the resulting customer worry and concern surrounding these breaches.
Large data breaches like the ones at Facebook and Equifax have compromised personally identifiable information of many thousands of people who are now concerned and worried that their sensitive data is out there in the world for anyone to access and capitalize on. Legislation like CCPA seeks to regulate data so that consumers know about their rights concerning where their data is located, their right to be forgotten, how their data is being used and stored, and with whom that data is being shared.
Breaches are financially costly, and often lead to brand and reputational harm to the organization that’s breached. Breaches are also on the rise as hackers continue to become more sophisticated. That’s’ why companies need a solid plan for data protection, including continuous security monitoring by qualified security professionals.
While several industries, especially healthcare and financial services organizations, took actions to protect personal data a long time ago, for many other industries, data governance and consumer data privacy are relatively new considerations, and legislation like GDPR and CCPA is often the impetus for change.
Are we moving toward a global standard?
Though data privacy legislation will likely continue to be implemented in new regions in the coming years, it’s doubtful there will ever be a globally enforced standard for data privacy and management. The reality is that countries in varying geographic regions aren’t likely to ever reach the level of cohesion needed to agree on and pass a unified piece of legislation. For example, there is legislation in the Asia Pacific region that’s even more stringent than GDPR and CCPA, while countries like Russia and China have laws that make it illegal for data to physically leave the country. It’s tough to imagine a scenario in which these countries could agree on exactly what needs to be included in a single piece of legislation.
Another hurdle to a global privacy standard is compliance enforcement. With so many different requirements currently in place from one country to the next, and with the immense regional variation between government organization and oversight, it’s unlikely that there will ever be uniform compliance enforcement.
A more likely scenario is that data protection laws remain locally created and enforced, making data scalability more challenging across regions and eventually leading some organizations to realize that serving some regions will be less profitable than serving others.
Countries will continue to gravitate toward more conservative, regionalized approaches to data protection mandates, which can create challenges for companies. This is where data security by design can help.
How to implement data security by design
The principle of “data security by design” is the assumption that your business will be impacted by upcoming legislation.
Generally, it makes the most sense to implement data security practices that will allow you to comply with any new laws. While you may have to adapt to a new piece of legislation in the future, you stand a better chance of already being close to compliance if you put the right baseline principles in place.
Here are some ways to implement data security by design:
A three-pillar approach
It's best to have executive-driven prioritization around security and data privacy protection. This is an executive-level initiative that must be recognized by the CEO and general counsel as a basic requirement for your business. There’s no exception to this rule; security and data protection must be on your company roadmap and prioritized across the company.
Data privacy management needs to be part of your company charter, built into your KPIs, and reported on in recurring operational reviews. Beyond that, we advocate a three-pillar approach to data security by design. In order for your practices to succeed, you’ll need the following teams in place:
- Legal: You need lawyers to translate the requirements for you and help you understand exactly what the different laws mean for your business.
- Technology and security experts and architects: This team will build and architect the solutions needed to meet the requirements.
- Compliance and risk team: This team will implement the right processes and audits to help ensure continued compliance.
The technical expertise brought to the table by each team should be deep to help ensure that you adequately address the data-related concerns that are specific for your industry and company.
Appoint a Chief Data Officer and Data Governance Office
Consider hiring or appointing a Chief Data Officer and creating a Data Governance Office. The DGO will own data security efforts and the daily responsibilities around maintenance. Its purpose, and that of the CDO, is to give your business well-defined views into the data that you have right now and enable you to make strategic, data-driven decisions based on your data catalog.
The CDO role is a combination of a CTO, CIO and CISO. Each of these individuals have related responsibilities and where their responsibilities intersect is exactly where the CDO would come in. If you don’t think there’s enough of a business case yet for a standalone CDO position, there’s also an opportunity to leverage an existing CIO or CISO to fulfill this role.
Start with the end in mind
Even if you’re not currently impacted by any recent data protection legislation, you should assume that you’re going to be. Start planning now. If you’re kicking off a new initiative or a new project and you build with compliance and security in mind, you can save yourself a lot of headache when new legislation rolls out. Even if you don’t fully comply with current legislation, having compliance in mind as you develop an architecture around a new project is going to put you ahead of where you would be otherwise.
Pick an approach you can reasonably maintain
There are a couple different ways to start crafting your data privacy protection plan, and how you choose to design your plan depends on your specific business.
Many organizations choose to take a conservative approach — taking the most stringent regulation and applying it globally. This is the often the most efficient and effective way to get ahead of data privacy legislation and it will likely result in exceeding the legislation requirements in some areas. Also, you won’t have to worry about handling multiple types of system implementations for different regulations.
The downside of the conservative approach is that you may lose access to certain customers. For instance, if you choose to follow GDPR instead of CAN-SPAM because it’s the most stringent approach to data privacy, you may lose some of your marketing audience based on the extra opt-in requirements GDPR brings.
If losing those marketing leads is a deal-breaker for your business, you can decide instead to follow different levels of stringency in different areas of your business. Just be aware that if you choose this approach, you must have management resources available to support enforcing multiple guidelines across the various areas of your business.
Depending on where assets are located, you may need to regionalize your data to accommodate data sovereignty. For many organizations, it is cheaper (or potentially mandated by their country’s security requirements) for data to stay in-region. Regionalized data has its own considerations, including regionalized data architecture or sharding, multi-cloud storage and compute requirements, and the associated cost considerations.
Choosing an approach requires identifying which method provides the most value to your business, weighed against the limits of what you can consistently maintain. If you can’t support different types of data management, then you’re better off adopting one standard across the company. Implementation of a new strategy may seem overwhelming, but it is the maintenance of your program that will make or break compliance.
Schedule regular audits to monitor security and compliance goals
Data protection legislation is rarely static, so there’s much work to be done beyond defining your approach. Compliance is a continual effort, and you’ll need to conduct regular audits to make sure you’re staying on track. Some legislation might require more frequent audits, but generally, performing an audit at least once a year is sufficient. Use those audits as an opportunity to review the regulations you have in place and gather information on how well your compliance practices are working.
The bottom line: data security by design benefits everyone
Now that customers are gaining more control over where their data lives and how it’s used, businesses must think about thoughtful ways to approach data privacy management.
The evolution of data protection will continue to become more regulated and increase in scope and requirements. One likely evolution will include requirements surrounding security monitoring of protected data, much like the GDPR requirements currently enforced. Planning for this at the outset will help ensure your assets and business are ready for the next regulation. Businesses that don’t plan ahead will find themselves scrambling to clear each new hurdle one at a time.
While implementing data security by design will incur some upfront costs, you are protecting yourself in the long run from loss of revenue and reputation in the event of a data breach. Being proactive is the best thing you can do for both your customers and your organization.