InfoGov Insights: The operational requirements of data privacy

The data privacy landscape is notoriously difficult to navigate and challenges continue to arise. We asked Matthew Bernstein, founder of MC Bernstein Data and leading Information Governance Strategist, to share with us the challenges that arise when tackling data privacy, and how businesses are best placed to overcome them.

Data is a commodity that, over the past decade, has increased in value. Where once it may have conjured images of spreadsheets and filing cabinets, data is now big business.  Finding value in data is a crucial business objective and regulatory reporting, data quality, and data availability at the forefront of data governance frameworks.

As with anything of value, data must be protected. The last few years have seen a burgeoning of data-centric regulation – from the California Consumer Privacy Act (CCPA) to the General Data Protection Regulation (GDPR). Business is facing increasing pressure from customers and regulators alike to implement effective data privacy programs.

Failure to manage data privacy effectively comes at eye-watering costs as data protection authorities ramp up enforcement action. British Airways, for instance, was fined £183 million in 2018 by the UK’s Information Commissioner’s Office after the data of 500,000 of its customers was compromised.  In the US, Equifax agreed to pay $575 million in 2019 in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories, over the company’s “failure to take reasonable steps to secure its network”.

The focus of GDPR and CCPA compliance efforts to date has been on the remediation of outward-facing PII activity: policy updates, notice and consent, and Data Subject Requests.  This makes sense from an initial risk-management perspective: as these are public and observable they are likely to get the most attention from enforcement authorities, and policy and consent are familiar ground for many data privacy risk owners (CISOs, DPOs, GCs).

But Data Privacy regulations impose significant operational requirements on organizations that will not be met by policy updates, website “notices”, or security upgrades alone.  Among the many operational requirements, there are three types in particular that are common to most data privacy laws, yet are generally not well-implemented at this point in the evolution of privacy operations:

• Acceptable use: what are you doing with PII?
• Data sharing: who has access to the PII your organization has collected?
• Documentation: can you evidence compliance with your data protection and privacy obligations?

Meeting these operational requirements calls for treating privacy obligations as a standard “cost of doing business”.  This means two dimensions of response:

• An enterprise privacy “program”, rather than a “point solution” for a particular regulation. By acknowledging that privacy requirements will grow and change, companies are resilient to regulatory developments.
• An “operating model” approach, that considers the necessary governance, people, process, and technology capabilities to meet these complex requirements.

The objective for compliance efforts should be strong “business as usual” operations for data protection and privacy.  Many times, the catalyst for action is a regulatory enforcement issue, consumer inquiry, or class litigation.  But this is not the time to do an “all hands on deck” exercise, assembling independent policy compliance efforts across the organization, hoping that the whole is greater than the sum of the parts or assuming that what worked for one regulation works for all.

Perfection is not the objective: demonstrating the organization’s “good faith” efforts to comply will mitigate fines and reduce the imposition of large regulatory “corrective action plans”.  With a “BaU” program in place, businesses are well-positioned to face current and increasing data protection and privacy obligations.

Blog post in collaboration with