New Data Privacy Laws — Workflow Burden or Competitive Opportunity?

The year 2018 is shaping up to be the year of stricter business regulations covering customer security and privacy protection. With customer data breaches at companies as varied as Equifax , Macy’s, and Panera Bread Company, along with the Facebook/Cambridge Analytica debacle — described as “a watershed moment in the public understanding of personal data” — consumers and governments are calling for, and enacting, tighter regulations on how personal data is managed, secured and used by businesses.

Understanding the regulations and what businesses are expected to do for compliance allows solution sales professionals and their customers to recognize how they can work together in this compliance quest.

More acronyms – GDPR and CCPA

The General Data Protection Regulation (GDPR) of the EU went into effect May 25, 2018. The purpose of the GDPR is to give EU individuals control over their personal data by regulating how a company or organization may process, protect and use that data. Companies and organizations not in compliance with the GDPR face penalties of up to €20 million ($23 million USD) or 4 percent of their annual revenue. Though focused on EU companies and organizations, U.S. businesses that receive and process data from customers who are EU individuals must also comply or face the same penalties.

In the United States, California was the first state to enact similar regulations. The California Consumer Privacy Act (CCPA), which passed on June 28, 2018, gives Californians virtually the same type of control over their personal data as the GDPR. That control includes the rights to know what personal information businesses collect, request that it is corrected or deleted, know who the data has been shared with, and order businesses to stop sharing that information. The legislation will start to be enforced January 1, 2020, and companies not in compliance will face new penalties. The CCPA is expected to set the standard in the U.S. for other states to follow.

The California Consumer Privacy Act (CCPA), which passed on June 28, 2018, gives Californians virtually the same type of control over their personal data as the GDPR.

These regulations hold businesses more accountable for how they gather customer information, protect it, manage it, share it, communicate data breaches and oversee their compliance efforts. This compliance is increasingly critical to their business and will require business process changes. In a study done by the Ponemon Institute, 71 percent of companies surveyed said they would suffer a detrimental impact on their ability to do business globally by failing to comply with the GDPR, and 60 percent said the GDPR will create significant workflow changes. Additionally, 50 percent of United States companies said complying with the GDPR will be more difficult than complying with the other security and privacy rules currently enforced.

Individual rights and business requirements

The GDPR and CCPA frame many rights that individuals have regarding their personal data privacy and security. These include (but are not limited to) an individual having the right to:

• Access and request a copy of their personal data held by a business and receive a copy at no charge in an electronic format that allows the individual to transfer the data from the current business or service provider to another.

• Correct errors that the business may have in their personal data to ensure all information is up to date.

• Know how their personal data will be used and with whom that data is being shared. Importantly, consent to use personal data must be freely given by the individual.

• Request that their personal data is not used or is restricted for use. Companies must make this right clear at the start of any communication with the individual.

• Know how long their personal data will be stored.

• “Be forgotten” by having any stored personal data permanently deleted.

• Be notified within a reasonable time after a business becomes aware of a data breach.

To meet these individual rights there are multiple requirements a business must meet for both the GDPR and CCPA. Some of these requirements include:

• Designation of a Data Protection Officer (DPO) responsible for Data Protection Impact Assessments (DPIA) and monitoring the company’s compliance with the regulation.

• Implementation of processes to facilitate and respond to customer (individual) requests to access, correct or erase personal data as well as provide the data free of charge and in the proper format to the customer. Responses should be ”without undue delay” per the GDPR and within 45 days per the CCPA.

• Installation of internal policies and enablement of security features of technologies they use based on the principles of “data protection by design.”

• Assignment of responsibilities and training employees who handle customer requests.

• Establishment of policies and procedures to respond to data breaches and to communicate the risk of any breach to customers much faster than in the past.

Because of the amount of customer data captured and available to businesses and the vast number of places customer data and content can be stored and used by a business, following these new regulations can seem daunting. It is important for dealers, the VAR channel, and ultimately sales professionals to partner closely with their customers and determine the type of guidance, changes, solutions and services that will be most helpful to meet these new directives.

Process and workflow changes

To begin to understand what changes are required for compliance with the new regulations, a company or organization must have a clear view of the current data collection, security, privacy policies and procedures it has in place. An audit — or DPIA — should be done to identify what personal data is gathered, where it comes from, where it is stored, why and how it is collected, how long it is retained, how well the business can respond to customer requests regarding their personal information, and what remedial actions must be taken to bring the processes up to standard. Links to examples and templates of a DPIA can be found at the end of this article.

Once a DPIA is complete, the improvements required will fall into three key categories:

1. Business Processes.

2. Use of Technology.

3. Governance.

To begin to understand what changes are required for compliance with the new regulations, a company or organization must have a clear view of the current data collection, security, privacy policies and procedures it has in place.

Business processes

In a June 18 Workflow article, Mark Holenstein of Signavio wrote, “With any organization looking to become GDPR compliant, processes must change to better protect the organization and implement new workflows.” This statement also holds true for the CCPA and what is to come from other jurisdictions in the future. Processes and policies which were once put in place to reduce costs, improve productivity or improve customer service must now be viewed with the privacy of customer information fully in mind. New processes and policies will need to be put in place to handle the customer consent requirements and customer data correction or deletion requests. For example, the Ponemon study revealed U.S. companies said operationalizing the right “to be forgotten” response (71 percent) and getting and managing user consent (66 percent) were the areas at highest risk of failure for compliance with the GDPR. Training for employees will need to be implemented to ensure they understand their roles and responsibilities in the business processes and their impact on the company’s compliance with the regulations.

Technology

We know technology can enable business processes to run smoothly, efficiently and securely. Technology also claims an important role in helping businesses meet the new regulations. A recent AIIM study says the five most critical intelligent information management technology capabilities for GDPR compliance are:

1. Records management and digital preservation.

2. Data recognition, extraction and standardization.

3. Business process management.

4. Cloud content management.

5. Artificial intelligence, content analytics and semantics.

Recognizing, extracting (collecting) and managing data with “privacy by design” practices means the customer’s privacy is taken into consideration from the very beginning of any interaction with a customer. Using encryption, pseudonymization and other security features of the device and software technologies used in the business can provide this more secure privacy protection from the beginning of data collection. Storing and processing information, whether using on-premise servers or cloud applications, should also use security features such as encryption or pseudonymization when the data is both at rest and in transit. Unfortunately, data breaches will continue to happen, but risks can be reduced by using up-to-date security features and practices.

When collecting or extracting information, records management systems rely on proper tagging, metadata and keyword input for automated workflow and organized filing. Having a standardized method of tagging, metadata,  and keyword input will make for easier search and discovery to meet the customer requests for copies of their personal data or to delete all affected records if requested. The use of artificial intelligence, machine learning and content analytics may provide levels of automation and standardization to workflow and filing processes. Accuracy in capturing and processing data as well as minimizing the amount of data stored and the locations it is stored in will help businesses more rapidly respond to customer requests.

Unfortunately, data breaches will continue to happen, but risks can be reduced by using up-to-date security features and practices.

Governance

Accountability to these new regulations means businesses will need to create clear data governance policies to ensure that everyone in the business understands their responsibility in complying with the new rules. Deciding to put a DPO in place is an option many companies will need to take. Someone will need to be responsible for overseeing that security, privacy and response policies are in place and carried out correctly. This person will need to ensure all staff are trained and updated on a regular basis and that scheduled audits or assessments are undertaken as part of continuous awareness and improvement processes.

Policies that govern data storage, use and deletion (lifecycle management) should be created, followed and reviewed regularly. The security features of technologies used in data collection, extraction, management and storage should be enabled and used to help adhere to these governance policies. A “do” and “don’t do” list or rulebook could be essential to make sure all customer data privacy policies are constantly visible to employees and therefore followed.

In all these categories, dealers, VARs and their solution sales professionals must fully understand their products and services and how the solutions they offer can help their customers meet their compliance needs. In addition, dealer and VAR businesses need to examine the impact these new rules have on their own business when handling customer data. Learning this way will provide valuable experience and credibility when dealing with their customers.

Burden or opportunity

Businesses

Most regulations are burdensome for businesses. The GDPR and CCPA type regulations require a business to take time to study, evaluate and create remediation plans to ensure compliance with the new rules. By doing this they reduce the possible, and potentially costly, non-compliance penalties.

In a very real sense, businesses can see their efforts to comply with these new regulations as an opportunity to create competitive advantage. By making sure their customers know of the compliance plans and policies, businesses can promote these efforts to increase customer trust and loyalty. In today’s digital world of hackers and data breaches, businesses that recognize the risks to their customers’ privacy and who act to mitigate or prevent those risks will be much more attractive to customers.

Resellers

For solution sales professionals, taking time to understand these new regulations and how their products, solutions and services can help their customers meet the requirements of the GDPR and CCPA can provide a tremendous competitive advantage. Services that help companies complete assessments such as DPIAs, configure and enable security features on devices and software, or data discovery services can benefit their customers. Solutions that improve the automation and standardization of data collection, extraction, tagging, storage, search and deletion will bring further value to customers. Having a holistic view of how products, software and services work together to provide the best compliance solution will strengthen the customer and seller relationship and make it harder for others to compete.

What’s next

Now is the time for solution sales professionals to be engaging and working with their business customers affected by the GDPR or CCPA. Even if their customers aren’t affected by either of these, more privacy regulations are expected from other states. The technology solutions and services that dealers and VARs have in their portfolio can help businesses comply with the current rules and be prepared for future regulations. Closer partnerships with customers in meeting security and privacy needs brings a competitive advantage and future growth for all. 

For more information on the GDPR and CCPA:

Compliance Junction – Everything You Need to Know About HIPAA and GDPR Compliance

https://www.compliancejunction.com/gdpr-for-us-companies/

California Legislative Information Assembly Bill No. 375 – CCPA

https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

PwC (Your readiness roadmap for the California Consumer Privacy Act (CCPA))

https://www.pwc.com/us/en/services/consulting/cybersecurity/california-consumer-privacy-act.html

Regulation (EU) 2016/679 of the European Parliament and of the Council – GDPR

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

The GDPR and You (Data Protection Commission of Ireland)

http://gdprandyou.ie/resources/

UK Information Commissioners Office (Data protection impact assessments)

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/#_Step_45:_How

DPIA Templates and Examples

https://iapp.org/media/pdf/resource_center/dpia-template-v04-post-comms-review-20180308.pdf

https://iapp.org/media/pdf/resource_center/dpia-template.pdf