CXO Security

How to Prepare and Pivot for the Privacy Regulation Pileup – A CISO’s perspective of what’s beyond GDPR and CCPA

How to Prepare and Pivot for the Privacy Regulation Pileup – A CISO’s perspective of what’s beyond GDPR and CCPA

Although the European Union’s General Data Privacy Regulation (GDPR) and the  California Consumer Privacy Act (CCPA) have been in effect for more than three years and one year respectively, some companies continue operating as they did before, often with a wait-and-see or we’ll-never-get-caught approach. Especially as international, U.S. and state governments regularly propose new data privacy laws.

Sweden’s Data Protection Authority fined Google $7.6 million for its failure to comply with the GDPR the first time and $56 million after its second incident. Regardless of the significant financial penalties they may face, many companies take the “we’ll fly under the radar of industry watchdogs” approach, falsely believing they are likely to escape fines.

But money isn’t the only thing a company could lose for privacy regulation non-compliance. Failure to address and comply with these regulations could lead to loss of customer trust, reputation, and revenue, as well as class action lawsuits and worse. We’re navigating a complicated landscape, particularly since these privacy laws and regulations are constantly changing.

Despite the ever-changing privacy landscape, there’s no shortage of ways to shore up your company’s adherence to privacy regulation.

Following are baseline measures CISOs, CIOs, and other security leaders can implement to help their companies comply with a wide range of regulations:

  • Face fear of the unknown: Perhaps your company has been complacent and doesn’t know whether your privacy practices comply with policies, regulations, and such. If this is the case, you’re probably falling short. Dig in, one area at a time, and start to address your company’s privacy-adherence shortcomings. 
  • Understand risk exposure: Start with the fundamental knowledge of what kind of data your company possesses, where it’s housed and how it’s protected. Be vigilant about tracking this information company-wide. And don’t forget about your key third-party partners that may be processing that data to support your business.
  • Keep on top of changing regulations: Assign a person or a team, depending on your organization’s size, to stay on top of new and changing privacy regulations and make sure your company complies. Otherwise, you could struggle to meet policy implementation and alteration deadlines.
  • Make privacy a key pillar: Whether embarking on a new project, implementing a new marketing strategy, or hiring a new supplier, think privacy first. Understand what data your suppliers are collecting and storing, for instance, and ensure it aligns with your mandates and policies. Any new initiative should include a privacy assessment to ensure compliance is enforced.
  • Communicate clearly, concisely, and regularly: Proactively communicate with customers, partners, and employees about relevant privacy policy changes. Ensure you’re transparent about how personal data is used.
  • Only collect data you need – nothing more: Article 25 of the GDPR says that organizations should only collect, process, and store personal information needed for a specific purpose – and others are following suit. Anything else is misleading to customers and subject to fines. For example, German real estate company Deutsche Wohnen was fined €14.5 million (~US$15.9 million) after it failed to establish a GDPR-compliant data retention and deletion procedure for its tenants’ personal data.
  • Take a trickle-down approach. CISOs should ensure data-privacy compliance buy-in from the top to the bottom of the organization. Consider a privacy steering committee to help ensure data-privacy has stakeholders from all business areas. Train employees on best practices. Communicate policies clearly and often so they aren’t forgotten. And ensure teams know what is and isn’t permissible, particularly since regulation changes so frequently.

Keep Prepping for More Privacy Policy Enactments and Change

Most countries have enacted data privacy laws regarding how companies collect information and inform data subjects, and what control they have over the information. Similarly, state-specific momentum for privacy bills is at an all-time high and constantly changing. However, there is no comprehensive US law governing data privacy.

Rather, the nation is cloaked with a complex patchwork of sector-specific laws and regulations dealing with telecommunications, health information, credit information, financial institutions, and marketing. Keeping up with it all is no easy feat.

Today’s customers place increasing value on their privacy, and legislators are taking notice. Maintaining compliance requires you know your customers’ rights under their local laws and revising your website and business operations accordingly.

Perhaps your company has been fined or is afraid that it will be. Or maybe you have robust privacy measures but find it challenging to keep up. Whatever the case, CIOs should seize the helm and take steps to ensure your organization is protecting privacy data adequately as privacy regulations, near and far, continue piling up.

Contributors

James Edgar

James Edgar, Senior Vice President and Chief Information Security Officer, FLEETCOR

James Edgar is an IT security and risk professional with extensive background in network engineering, security architecture, policy, risk, compliance and management. James has more than a decade of experience, which has included roles rangi... More   View all posts

Advertisement

Kofax Webinar MPU 300X250
James Edgar

Login


Not Member Yet?
Register

Register

  • Name

  • Contact Info

  • About Yourself

  • Minimum length of 8 characters
  • Upload
  • Location

  • Professional Background

  • Other Social Profiles

  • Areas of Interest