• Skip to primary navigation
  • Skip to main content
  • Skip to footer
The Evolution of ESG RegulationThe Evolution of ESG RegulationThe Evolution of ESG Regulation

CUBE global

  • Products
        • RegPlatform product overviewOur enterprise product, providing regulatory intelligence for large, global financial institutions looking to tackle complex compliance.
        • RegAssure product overviewOur highly intuitive, seamless compliance product, that grows with your small or medium sized business.
        • CUBE's technology
  • Solutions
        • PrivacyGlobal governance for data privacy regulations, the world over
        • RecordsHolistic oversight of ever-growing regulations for records
        • CybersecurityAutomated workflows for up to date, relevant data on cyber
        • Technology riskEffective policies and controls to mitigate technology risk
        • Financial crime and AMLWatertight audit trails to show risk-based rationale
        • View all solutions
  • Resources
        • Resource hubLifting the lid on financial services, compliance, and regulation
        • Read

        • Case Studies
        • Blog posts
        • Reports
        • RegNews
        • Brochures
        • Find

        • Compliance Corner
        • Compliance Confessions
        • ESG Conference
        • CUBE’s regulation game
        • Listen

        • Videos
        • Webinars
        • Podcasts
  • Partners
        • Advisory and consulting partnersEnhance your regulatory compliance offering with the entire suite of CUBE regulatory data.
        • Integration partnersCompliance is complex enough without over-complicated integration procedures.
        • Technology partnersAdd value to existing customer applications with a unified window into regulatory intelligence.
        • Partners overview
  • About us
        • About usThe story of who we are, how we got here and why we’re exceptionally proud of what we do
        • TeamThe visionaries and leaders powering CUBE’s success
        • NewsThe latest news from CUBE
        • CareersOur movement to transform regulatory data into regulatory intelligence
        • ContactWant to know more? Get in touch
  • Request a demo
Customer login
Home » Resources » InfoGov Insights: The operational requirements of data privacy
CDEI create AI barometer and team discusses

May 28, 2020

Estimated reading time: 4 minutes

InfoGov Insights: The operational requirements of data privacy

In the third blog of our series in collaboration with consultancy MC Bernstein Data, we look into the notorious challenges surrounding data privacy and explore how businesses can overcome them.

The data privacy landscape is notoriously difficult to navigate and challenges continue to arise. We asked Matthew Bernstein, founder of MC Bernstein Data and leading Information Governance Strategist, to share with us the challenges that arise when tackling data privacy, and how businesses are best placed to overcome them.

Data is a commodity that, over the past decade, has increased in value. Where once it may have conjured images of spreadsheets and filing cabinets, data is now big business.  Finding value in data is a crucial business objective and regulatory reporting, data quality, and data availability at the forefront of data governance frameworks.

As with anything of value, data must be protected. The last few years have seen a burgeoning of data-centric regulation – from the California Consumer Privacy Act (CCPA) to the General Data Protection Regulation (GDPR). Business is facing increasing pressure from customers and regulators alike to implement effective data privacy programs.

Failure to manage data privacy effectively comes at eye-watering costs as data protection authorities ramp up enforcement action. British Airways, for instance, was fined £183 million in 2018 by the UK’s Information Commissioner’s Office after the data of 500,000 of its customers was compromised.  In the US, Equifax agreed to pay $575 million in 2019 in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories, over the company’s “failure to take reasonable steps to secure its network”.

The focus of GDPR and CCPA compliance efforts to date has been on the remediation of outward-facing PII activity: policy updates, notice and consent, and Data Subject Requests.  This makes sense from an initial risk-management perspective: as these are public and observable they are likely to get the most attention from enforcement authorities, and policy and consent are familiar ground for many data privacy risk owners (CISOs, DPOs, GCs).

But Data Privacy regulations impose significant operational requirements on organizations that will not be met by policy updates, website “notices”, or security upgrades alone.  Among the many operational requirements, there are three types in particular that are common to most data privacy laws, yet are generally not well-implemented at this point in the evolution of privacy operations:

  • Acceptable use: what are you doing with PII?
  • Data sharing: who has access to the PII your organization has collected?
  • Documentation: can you evidence compliance with your data protection and privacy obligations?

Meeting these operational requirements calls for treating privacy obligations as a standard “cost of doing business”.  This means two dimensions of response:

  • An enterprise privacy “program”, rather than a “point solution” for a particular regulation. By acknowledging that privacy requirements will grow and change, companies are resilient to regulatory developments.
  • An “operating model” approach, that considers the necessary governance, people, process, and technology capabilities to meet these complex requirements.

The objective for compliance efforts should be strong “business as usual” operations for data protection and privacy.  Many times, the catalyst for action is a regulatory enforcement issue, consumer inquiry, or class litigation.  But this is not the time to do an “all hands on deck” exercise, assembling independent policy compliance efforts across the organization, hoping that the whole is greater than the sum of the parts or assuming that what worked for one regulation works for all.

Perfection is not the objective: demonstrating the organization’s “good faith” efforts to comply will mitigate fines and reduce the imposition of large regulatory “corrective action plans”.  With a “BaU” program in place, businesses are well-positioned to face current and increasing data protection and privacy obligations.

Blog post in collaboration with

Related resources
View all resources
A hand writing Asset Management
Blogs

Compliance in the asset management industry

Person stopping domino stones from falling over , which has risk written on it.
Blogs

How to protect financial institutions from collapse

Sylvia Yarbough whispers to a colleague about the key to customer complaints
Blogs

Compliance Confessionals – How does a CCO stay organised?

resilience
Blogs

Get ready for new digital resilience obligations


Want CUBE updates and latest industry news sent straight to your inbox?

Footer

Add CUBE logo here

  • Products
    • Partners
    • Solutions
  • Resource hub
    • Blogs
    • Reports
    • Brochures
    • Compliance Corner
    • Webinars
    • Podcasts
    • Videos
  • Behind CUBE
    • About us
    • Meet the team
    • Careers
    • News
    • Contact us
  • The legal bits
    • Privacy policy
    • Cookie policy
    • Terms of use
    • Accessibility
Follow us:
  • LinkedIn
  • Twitter
  • YouTube

© 2023 CUBE Content Governance Global Limited

  • English
  • US

envelope

Want CUBE updates and latest industry news sent straight to your inbox?

Sign up to our Newsletter here