Debates on new privacy legislatures and fines on international giants continue to grab the headlines. With this heightened sense of urgency, how should companies manage their compliance efforts? While GDPR is the overarching privacy law in Europe, the nature of American federalism has led to as many as 15 states pushing their own privacy regulations, adding to the complexity of U.S. companies’ compliance efforts.
To make matters worse, the numerous state privacy regulations in the United States are constantly amended, and multinational companies also must account for international privacy laws, such as the China Cybersecurity Law and Brazil’s General Data Privacy Law. Now the challenge is: from an operational standpoint, how do companies comply with all the privacy regulations in an overwhelmingly complex legislative landscape?
Because the impact of cyberattacks on business operation is well-recognized, cybersecurity has always been prioritized by companies and regulators alike. Recently, as a result of high-profile data breaches, consumers have grown skeptical about companies’ ability to protect their data.
Consequently, privacy’s impact on business has become more apparent. A recent study by Wavestone observes that 25% of global consumers have stopped using certain services in order to protect their privacy. This data suggests that privacy risks have evolved from a back-office compliance risk into a business risk that potentially undermines a company’s revenue generation.
An Introduction to GDPR and CCPA
Effective in 2018, GDPR1 puts EU residents in control of their personal data. Built on principles such as purpose limitation, data minimization, and accountability, GDPR fundamentally shaped and codified data subjects’ individual rights. Since the introduction of GDPR, numerous countries, including China, the United States, and Canada, have enacted their own regulations that grant individuals ownership and control over their personal data.
In the United States, the most matured and discussed among such regulations is the recently-enacted California Consumer Privacy Act, or CCPA, which goes into effect in January 2020. Like GDPR, CCPA requires organizations to focus on protecting personal data as well as to increase transparency and implement controls in the collection, sharing, and use of such data.
1 General Data Protection Regulation
Both GDPR and CCPA build a legal framework under which consumers can exercise their individual rights regarding their data
However, CCPA differs from GDPR in significant aspects :
- A fundamental principle of GDPR is that a designated legal basis (e.g., consent or compliance obligation) is required for processing activities. In contrast, the CCPA does not provide a list of positive grounds required a priori to data processing.
- Compared to GDPR, CCPA expands the definition of personal data to include household data. It also excludes several data subject rights established by GDPR, such as the right to rectify, the right to restrict processing, and the right to object to automated profiling.
- Both GDPR and CCPA violations can result in significant financial liability in the form of civil fines and through private right of action, but CCPA grants companies a 30-day period to cure violations whereas GDPR does not.
- CCPA also differentiates from GDPR on a few operational requirements, such as appointment of a Data Protection Officer (DPO), maintenance of the record of data processing activities, and data breach notification within 72 hours.
Main differences between GDPR and CCPA
Discussions around GDPR over the past couple years have prepared companies for many of CCPA’s requirements. However, with the final regulation due in the coming months and amendments only signed into law in mid-October, it is still difficult for companies to meet the deadline, which is now just months away. For example, AB-25, a CCPA amendment passed on September 12, 2019, significantly changed the scope of CCPA by excluding employee data until 2021.
Complicating matters, 15 other states have either passed or are in the process of drafting their own data privacy regulations with varying scopes and level of stringency. Nevada’s new law came into effect on October 1, 2019, three months before CCPA. Compounding the uncertainty is the possibility of a federal privacy law with which companies may have to comply with in the future.
Following the CCPA, 15 states are in the process of developing their Privacy laws
Sample of data privacy legislative developments across the United States
In September 2019, 51 CEO of major U.S. corporations, including Amazon, JPMorgan Chase, and Walmart, sent a joint letter to the Congress, demanding a federal privacy law, which, if stringent enough and preempting, could be a solution to the current problem of numerous, and possibly conflicting, state laws.
How should a company comply with numerous new laws that are not finalized until a few months before their effective date? A regulation-driven approach – a reactive method to address a dynamic set of regulations – cannot work. It leaves the company always behind on the compliance timeline, always struggling with contradicting requirements of different regulations, and always shifting remediation priorities. Therefore, companies need to be proactive by adopting a maturity-driven approach to data privacy that makes individual-focused practices the end goal.
Our Recommendations
At the moment, companies might not know all specific requirements of the regulations. Nevertheless, they should start preparing now, since implementing a privacy program takes time and coordination among numerous departments.
Despite the many differences among regulatory requirements and varying focuses of the privacy regulations, they all entail certain mandatory, prerequisite steps, such as drafting and maintaining a record of processing activities, defining a governance structure with assigned ownerships of major workstreams, and assessing a data subject request verification mechanism that best fits the company’s specificities, rather than finalizing the language of privacy policies and contractual clauses.
Laying these time-consuming groundworks in advance puts companies in a better position to adapt once legislation is finalized.
One easy way to prepare for all possible regulations is to comply with the most stringent terms in each area. This is a good overall strategy, but when compliance efforts significantly impact business operations locally, the business should be involved in making risk-informed decisions.
For example, while GDPR requires active opt-in to contact consumers, CCPA only requires companies to allow opt-out of sale of personal information. In the U.S., aligning with this GDPR requirement could come at a heavy cost on the consumer base and potentially have a tremendous impact on the marketing outreach.
In that case, working with the business, a tactical approach could be followed. For example, in the case of mass communication, EU residents should only be contacted if appropriate consent has been collected, while U.S. residents may still be contacted as long as an opt-out mechanism is provided.
The road to compliance is long; it would be unrealistic to attempt 100% compliance right off the bat. As a matter of fact, many EU companies are still in the implementation phase of the new controls prescribed by GDPR, more than a year after it came into effect.
Instead, companies should start by evaluating areas of risk and project dependencies to develop a remediation roadmap that balances the company’s business needs and readiness posture.
Companies should be cognizant of their ability to deliver and address most sensitive processing activities first (e.g., based on the volume and sensitivity of the personal data implicated).
Additionally, companies may consider tackling first the most visible aspects of their privacy program (e.g., consumer facing policies, data subject request submission mechanisms). In the event of a regulatory examination or legal proceedings audit, a risk-based approach and a clearly devised plan demonstrate the company’s commitment to privacy and consumer-centric mindset.
As there are many uncertainties regarding the pending regulations, companies should focus on their similarities and common grounds. By aligning themselves with the regulations’ shared end-goal – protect personal data, and give individuals control regarding their data – companies are naturally on the right track for compliance.
Companies should start by identifying and implementing main workstreams required by the existing regulations, such as the processing of data subject requests and the management of personal data breaches. Improving a company’s privacy posture is more akin to a marathon than a sprint, with compliance with various regulations as critical checkpoints, not the end goal.
Since the numerous regulations in the United States provide too many textual references for companies to follow, companies can turn to industry best practices as operational guides to take concrete steps towards improving their privacy maturity. For example, government and intergovernmental organizations, such as NIST and OECD, have developed privacy frameworks for companies to leverage.
Sample privacy frameworks and industry best practices
An Introduction to the NIST Privacy Framework
The NIST Privacy Framework is an enterprise risk management tool to help organizations identify, assess, manage, and communicate privacy risks. This voluntary framework follows the same structure as NIST’s successful cybersecurity framework, which has become a recognized industry reference.
Depending on their risk appetite and goals, companies can design their own privacy targets by selecting from a list of controls and corresponding implementation levels. With version 1.0 publication scheduled for the end of the year, the framework is still in the draft phase. The preliminary draft from September 2019 presents room for improvement, but it is still a great initiative that offers companies guidance in developing the privacy posture that best fits their organizational specificities.
Whether a company is starting to outline its privacy practice or has an established process of managing privacy risk, it can use the framework in individualized ways to improve privacy risk management practices and communicate the changes throughout the organization.
Looking ahead
In the face of a looming regulatory compliance challenge, companies tend to hurry to the legal department.
However, in the case of privacy, due to the regulations’ short compliance timelines and operational implications (e.g., website remediation, data mapping, contract review), companies should take immediate actions, such as securing budget and capacity of resources, before conducting a word-by-word analysis of legal texts that remain to be finalized and go into effect.
Companies should start planning a compliance roadmap and launch remediation initiatives that improve their overall privacy posture, and in so doing, prepare themselves for current and future privacy regulations.
Wavestone is a global management consulting firm with over 3,000 consultants, which supports leading companies and organizations in delivering their most critical transformations through combining management and digital consulting.
Wavestone US works in the domains of Operational Transformation, Technology, Cybersecurity, and Risk & Regulatory Compliance. With its recent acquisition of WGroup, a U.S.-based IT management consulting firm prized for its 70+ former industry senior executives, Wavestone is accelerating its expansion in the U.S.
Wavestone launched its Data Privacy offering in 2004. Since then, it has assisted clients in numerous industries in the various phases of their privacy compliance efforts, including maturity assessment, remediation roadmap definition, and privacy program implementation. We combine our past engagement experience, management consulting know-how, and business and functional expertise to deliver best-in-class data privacy recommendations tailored to our clients’ needs.
Related Insights
Ouala Barhoumi
Zineb Elfarissi
Gerome Billois
Sleh-Eddine Choura
Henri du Périer
Nathalie Balabhadra
Aurelia de Maleissye