The amount of data produced this year was more than all of the data created in the history of the world. The numbers are not expected to slow down any time soon. If we think we have a problem today, tomorrow the problem will be even bigger. Therefore, there are some very difficult questions companies need to ask themselves on data privacy.
Initially, the answers may not be encouraging, but staying on the right path and dealing with the compliance issues will avoid costly legal hurdles down the line. While the public policy and social responsibilities are evolving, data privacy regulations in the US and around the world are increasing everyday as the potential risks and non-compliance penalties. This white paper articulates on some of the key questions.
Many companies are still lagging behind on becoming compliant to CCPA and GDPR. There are still questions out there whether these laws apply to them and whether there will be enough budget appropriated to enable organizations to comply with these laws.
CCPA 2.0 have recently clarified some of the shortcomings in the initial bill.The attorney general of California also started laying the ground work for initial penalties by articulating on what makes a non- compliance crime punishable with financial remedies. This is coming on the heels of GDPR recently assessing hefty penalties. Now companies face much bigger fines with GDPR than what they’d previously faced. Recently, several companies are hit with fines ranging up to $200 million each. While we believe that some of these fines will be con-tested, but majority of the fines will be paid. Otherwise, there is a strong risk that companies may not take the financial penalties seriously.
Other countries are quickly catching up with Europe and US. For example, Brazil passed its own version of the data privacy law called Lei Geral de Proteção de Dados (LGPD). Given that there are many global businesses operating out of Brazil, LGPD will quickly become another strong data privacy law that will have recognizable impact on companies doing business in Brazil.
In short, these data privacy laws will not go away. Many of the requirements will have to be embedded in the products and services they have as well as their internal process in order to protect their consumers’ data privacy right.
It is clear that once what was considered as a strategy advantage [collection of any data] is now a critical liability and possibly exposed to cyber breaches. So how is this data being protected and what is the operating cost of protecting it to the company?
Now comes the task of sorting out what is critical and possibly discard the remaining data. It is also critically and equally important that the personally-identifiable data collection going forward must have a clear and recognizable advantage to the company. This will require controls on what consumer data need to be collected and how it needs to be communicated to consumers, so that, the proper disclosures can be communicated to consumers. This needs to be done, not just respecting consumers’ desires, but to protect the brand equity of the company. Knowing full well that companies that fail this exercise will be subject to repeat litigation’s, which will only increase the cost of non-compliance.
Hence, companies need to start discussing and incorporating their data compliance requirements into their annual budget plans, but also understand how the new capabilities being implemented can be designed data-privacy compliant on day #1.
We have all been sensitized to building “green” products or those with a smaller impact on the carbon footprint. This is because it makes sense for all of us. Then what if we ask the same question the degree of data privacy compliance on the products and services we are building. What if we go step forward and in-form the consumers that, not only we build good products and services, but they are already compliant to the way in which consumers want to engage with us?
Undoubtedly this approach will build a better trust with consumers. Recently the US Government has convinced the consumers in US and in other countries politically connected with US that the products produced by Huawei lack the data privacy controls. This escalated to a point were Huawei cannot even buy foreign-made technology products to make its products.
The senior executives in the company must ask the question to their respective areas of responsibility on how they plan on adopting new data privacy capabilities to say aligned with the company’s data strategy. More importantly, how do they assess the level of risks and communicate with their Board on future products and services direction.
As most companies are now familiar with the Business Associate Agreements (BAA’s) they have to sign if they want to do business with a covered healthcare entity. This is a key requirement for companies to com-ply with the HIPAA regulation. There can be civil and financial liabilities that can go far beyond the cost of engagements or sale of products. This is currently not even a footnote on many financial statements made available to the public. However, risk certainly exists.
In order to protect against data privacy issues, companies must have a robust mechanism to detect and measure the level of risk against lack of data privacy. Many organizations started taking this into account when they are looking at their internal processes and understand the level of data privacy compliance they need to ad-here to as part of their contractual obligations.
On the flip side of it is the vendor relationships and qualification before deciding on procuring products and services. Many large companies now have a VRM (Vendor Relationship Management) process in place that addresses these concerns. However, they need to be focused on the level of data privacy risk in addition to getting the best price and the quality.
Some will argue that the regulations like CCPA and GDPR weaponize consumers and introduce additional cost structures. However,a few are concerned with what happens to consumers after a breach or many phone calls received from sources unknown any logic person coming from phone numbers that are not even valid.
Personally identifiable data does get out and usually ends up in the wrong hands. Companies that collect personally identifiable data have a fiduciary responsibility to protect it or if they cannot, they need to comply with consumers’ desire to get rid of it. This will not go away.
Companies that harvest and protect consumer’s private data legally and correctly will have a critical and indispensable advantage against their competition. More importantly, as AI applications become more prevalent, the amount of personally identifiable data available to BOTs will be critical to its success.
Besides the key benefits, there are also legal requirements for qualified companies to comply with CCPR and GDPR—such as consumer request management, reporting back to the consumer on request to get access to his/her personally identifiable data, deletion/obfuscation of personal data, tracking request for opt-outs on personal data sales, etc.
In the absence of these required capabilities, possible legal actions and penalties will be unavoidable.
Refik Ongun leads the Data Privacy & Regulatory Compliance Practice at Exavalu. He has worked with many companies on their data privacy requirements and has enabled them with solution design approach with concentrations in GDPR, CCPA, HIPAA, GLBA, APP, PEPIDA and LGPD among others. He has an in-depth understanding the regulations and has worked effectively with inside and outside counsels to minimize non-compliance risk.
Exavalu is your strategic partner on high impact Digital transformation relevant for your Industry. We’re a unique Business Advisory & Technology Consulting firm run by seasoned Industry veterans that are former executives, CIOs, CXOs, and Consulting Principals. We deliver meaningful change and sustained value aligned with your desired business outcomes leveraging our Industry experience and Solutions capability.
This publication contains general information only and Exavalu is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Exavalu shall not be responsible for any loss sustained by any person who relies on this publication.