As technology continues to rapidly evolve, the regulatory landscape around the data that these tools collect and store becomes an evolution as well. CIOs and CISOs, who are at the forefront of this evolution, can expect to see continued challenges to their existing data privacy and security procedures as states across the U.S. and nations around the world continue to develop and change the regulatory requirements aimed at safeguarding consumer information. In fact, Gartner predicts that, “by 2023, 65 percent of the world’s population will have its personal data covered under modern privacy regulations.” Critical to staying ahead of the game is putting the right technology in place to operationalise privacy protections, while using creative approaches like looking to outside resources to manage backend processes. At the same time, these leaders are grappling with having the highly skilled people in place needed to respond to customer inquiries about how their data is being used and protected. All of this is being done to avoid the financial impact of regulatory violations, which can cost an organisation millions of dollars.
Global Regulations and Consumer Concerns
Keeping up with the changing regulations is something most companies find to be a challenge, according to Manisha Agarwal-Shah, managing director and head of Protiviti’s data privacy practice. To help alleviate some of the confusion, her team is producing a singular, global approach to compliance with major regulations. “GDPR, CCPA/CPRA, LGBD, the Canadian PIPEDA and POPI, which is the South African privacy law, are having the biggest impact on most companies,” she said. “It is quickly becoming apparent that organisations have so many regulations to comply with. We are looking at the places where we have, say, 80 percent overlap so that we can minimise compliance fatigue for organisations and help them develop unique frameworks for compliance specific to their environment,” she added.
Operationalising the Reg Tech Environment
“To manage all the data governance matters required by privacy regulations, we are predicting growing adoption of solutions for data discovery and data classification and protection fully integrated with business applications,” said Ferretti. “There are some industries that are more impacted with privacy matters than others, including energy, utilities, telecommunications, health and safety and distribution, to name just a few,” he added. These are all industries that manage privacy data for a large number of customers.
Organisations that do not take a technology approach to privacy have a difficult story to relay to the regulators to justify how their data security programme really operates. “It is virtually impossible to do this well manually for larger organisations,” said Agarwal-Shah. She used the example of an online dating service to illustrate the point. “Let’s say I’m a consumer using this online dating app and I call that company to say, ‘I want to delete my account, and also, tell me all the data you have about me and which vendors you’re selling it to, and where else it might be shared.’ I believe the current regulations allow 30 days to respond. That is a nearly impossible task for the organisation to do manually – especially when they receive thousands of these types of calls every month. With the right technology in place, much of that work happens in the background. Essentially, working with a vendor, the organisation can have a small team of folks dedicated full-time to responding to these requests, instead of hundreds. When considering the need to train and manage a large staff, including the expected turnover, it makes sense to bring in a third party to handle this regulatory compliance work.”
As mentioned in an earlier blog, Why Data Privacy and Security Must be a Priority in 2021, Agarwal-Shah said, “it is important to begin by evaluating all the different use cases needed to meet an organisation’s privacy needs. We encourage clients to ask themselves, ‘how do we implement our existing technology to meet our objectives? Which available technologies provide that service and how well can it actually be achieved?’ An organisation might realise that 80 percent of those use cases are being adequately met, based on its current stack.” She added that how an organisation will govern, or manage, its data is also a critical concern. “Making executive decisions around what type of technology is needed versus just focusing on the most cost-effective solution that’s available will be important. Tech leaders want to make sound decisions, not just cost-saving decisions.”
Agarwal-Shah’s privacy team has created more than 30 standardised use cases, which range from tracking ROPA, records of processing data, data inventories, managing data subject access requests, DSARs, cookie compliance, conducting privacy impact assessments and more. These use cases are easily adapted to a particular organisation’s unique needs.
The Cost of Noncompliance
“The risk of noncompliance is so high in terms of fines,” said Agarwal-Shah. “GDPR penalties can range from two to four percent of global revenue, or up to 20 million euros. In the U.S., it varies by state, and there are hefty fines associated with not managing data appropriately.” While, as mentioned above, companies can attempt to manage privacy processes manually, “it’s something we would never recommend clients do,” she added. “It really adds a significant amount of value to be able to have an automated data inventory, whether it’s tracked from a survey-based analysis or true automated data discovery. It’s critically important to embrace automation to manage data tracking upfront, quarter over quarter, or more often depending on how the business changes. The biggest benefit is in economies of scale. You may require 100 people to effectively manage the number of requests being received. However, by investing in the right technology, you can reduce the resources and the resource requirements needed to manage privacy expectations, both now and well into the future.”