If you keep up with business and technology news, you probably encounter stories about the importance of data privacy on a daily basis. In just the last few months, we’ve seen the GDPR go into effect, the California Consumer Privacy Act (CCPA) signed into law, tech giants Facebook, Apple, and Google called out on their data handling practices, and a wave of data privacy legislation being discussed and enacted at state and federal levels.
So why aren’t more businesses making data privacy a priority as they plan for 2019?
Recently we published an Insight on the internal objections that hold many organizations back from moving forward on data privacy, and it appears that many of those roadblocks are still in place as strategic plans for next year take shape. But businesses that continue to ignore this issue will likely find themselves involved in a costly, time-consuming game of catch-up in 2019. Here are four reasons why.
Reason 1: New Laws on the Horizon
Today the U.S. Congress is considering three federal data privacy and protection laws, and this year several states, including Colorado, South Carolina, and Vermont, passed their own legislation, with others states following suit. Some companies that are not covered by either GDPR or CCPA may believe that they can now relax, but if current trends continue, nearly every U.S. company will probably be subject to some kind of data privacy legislation in the near future.
Businesses also cannot rely solely on geographics to determine whether data privacy laws apply to them. Any for-profit U.S. business with a website, for example, almost certainly collects personal data of California residents who visit their site, and it is therefore subject to CCPA if it meets any of the three threshold requirements (over $25MM adjusted gross income; processes personal information of 50,000 or more California consumers, households or devices; or derives at least 50 percent of its annual revenue from selling personal information).
While each law contains some unique specifications, we recommend a top-down approach to your privacy program, because the process of laying the groundwork for compliance is the same, and you don’t want to have to revisit it every time a new regulation is adopted. You need to find out exactly what personal data you have, how you gather it, where it’s located, what you do with it, and who (internally and externally) has access to it. Once you’ve completed those tasks, you will have a solid foundation for adjusting business and technical processes to comply with the specific privacy rights each regulation gives to individuals.
Reason 2: Customers (and Business Partners) Are Watching
The Facebook/Cambridge Analytica scandal was a wake-up call for millions of consumers regarding their personal data. Many of those customers are now thinking twice about the companies with whom they share personal data as part of their business transactions. Long-term customer relationships are built on trust, and if customers believe they can trust you with their personal data, they’re more likely to keep coming back.
Consumers aren’t the only ones with a heightened awareness of personal data issues. Potential partners and acquirers will look for assurances that your company handles personal data securely and responsibly before doing business with you, whether you are covered by data privacy legislation or not.
Reason 3: CCPA’s One-Year Lookback Clause
Under CCPA, if a data subject asks a business to disclose the categories of her personal information that it has sold or disclosed, the company’s response must encompass all activity from the previous 12 months. If, for example, a customer calls in January 2020 with such a request, you would have to provide categories of all information sold or disclosed since January 2019. If your company is not currently tracking and categorizing activity regarding the sale or disclosure of personal data to prepare for these requests, now is the time to put those controls in place.
Reason 4: It’s Good for Business
Aligning with data privacy legislation requires proactive data management, which benefits your business on several levels:
- You’ll create a single source of truth that enables you to streamline internal processes and improve the customer experience.
- You can better understand which customers are most likely to interact with you and focus your marketing efforts on nurturing those relationships.
- You can eliminate the costs of storing useless data that your company collected “just in case we need it.”
- You can make better-informed decisions and start extracting real business value from your data.
Steps to Take Now
With the start of 2019 just a few months away and concerns over the use of personal information mounting worldwide, now is the time to make data privacy a priority. Here are a few steps you can take to prepare your company for the challenges that lie ahead:
- Evaluate the lifecycle of personal data in your organization — how it enters, which systems process it, where it goes internally and externally.
- Create a systems map and perform a data process inventory.
- Create procedures to prepare for requests for access, deletion, and transference to other providers.
- Ensure that all employees who handle personal information and customer inquiries are trained in the data privacy requirements for your organization and in the proper way to handle customer requests regarding personal data.
If you have questions about data privacy or if we can help you in any way, just give us a call.
Connect with the authors: