Data Privacy

 

The proliferation of organizational data along with the concurrent growth in regulations that govern that data have forever changed how businesses must manage their information. Despite their relative infancy, the EU's General Data Protection Regulation (GDPR) and the U.S.'s California Consumer Privacy Act (CCPA) have already made their mark on companies that have shown lax cybersecurity policies in the form of fines due to data breaches and not responding to consumer data requests in a timely fashion. And as we inch closer to July 1, when the CCPA's consumer rights request provisions come into full effect, many companies may see that they are ill-prepared for the sudden influx of requests they might receive.

Privacy regulations are unlikely to go away anytime soon. For example, the CCPA hasn't fully launched, yet there's already add-on legislation up for consideration this fall. Therefore, it's imperative that businesses that are governed by these regulations—or that might be in the future—learn to master their organizational data. In practice, this means being able to successfully answer the challenges and risks that these regulations present to your business.

The four keys to successfully complying with these new data privacy laws are:

  1. Knowing your data: what you have, where it is, who can access it;
  2. Efficiently responding to consumer requests for data;
  3. Knowing who can access your data outside of your organization (vendor risk); and
  4. Keeping only the data that serves a business or legal purpose.

Overcoming these four challenges are fundamental in helping you master your organizational data.

Knowing Your Data

Exterro's 2020 Corporate Legal Leaders Survey found that, for most general counsel and chief legal officers, the biggest challenges they face all have one thing in common: How to defensibly manage their organization's data. In particular, three primary data privacy-related challenges keep GCs and CLOs up at night:

  1. Preventing a data breach;
  2. Responding to litigation discovery requests for new data sources; and
  3. Responding to consumer data requests.

Each of these challenges requires two things: A data management strategy (including a comprehensive and up-to-date data inventory), and enterprise-wide collaboration among different teams. According to the survey's respondents, however, only one-in-six legal departments is tasked with ensuring data is managed in compliance with privacy or litigation requirements. A majority of the time, it's IT—which can present big risks if legal leaders aren't involved in developing the strategy.

Right now, seven-in-10 legal departments are managing their data-related challenges with technology to manage litigation, data privacy, compliance, and cybersecurity. But without a comprehensive data strategy and up-to-date data inventory, GCs and CLOs will find themselves having difficulty mastering the next step.

Efficiently Responding to Consumer Rights Requests

Three-out-of-five GCs/CLOs are either concerned or very concerned about the CCPA, with good reason: utilizing an inaccurate or outdated data map/inventory simply won't allow for compliance—and many organizations don't practice the data hygiene that would best produce those results.

Talend's GDPR Research Benchmark found that companies most often failed compliance when they lacked a data privacy officer, and when they had an inability to locate data to respond to consumer requests. And in part due to the difficulty in responding to DSARs, 80% of organizations said that GDPR implementation was more difficult than other data privacy or other security requirement compliance, according to research from the Ponemon Institute and McDermott, Will & Emery.

But let's say you already have a well-maintained data inventory at your organization (this is usually rare)—what's next in responding to consumer data requests? Legal teams must have orchestrated workflows that effectively engage the right teams and personnel in the right areas of the business. Without defined processes for managing these consumer data requests, legal teams can leave their business wide open for organizational risk. These risks include…

  • Inability to locate consumer data when requested (a data subject access request failure);
  • Unsecured transfer of the data back to the consumer (a breach risk);
  • Inadvertently giving the wrong information to the wrong person (effectively a data breach); and
  • Deletion of material that is under another legal obligation, like a legal hold, or other retention obligation (a spoliation risk).

Knowing What Third Parties Have Access to Corporate Data

Third parties don't often seem to represent the biggest risk at face-value—but the Ponemon Institute finds that it's more common to suffer a breach due to lax vendor security than a direct cybersecurity attack. High-profile breaches aren't uncommon; as recently as February 2020, General Electric's current and former employees were notified that their private details had been exposed due to a breach from a subsidiary of Canon, the camera company.

Knowing your vendors can be seen as an extension of Knowing Your Data. As a relative of the data inventory/map, maintaining a vendor data inventory is the best way to keep an eye on which external actors have access to your data. Ask:

  • Do you know what data your vendors are accessing, and whether they're managing it securely?
  • Are you re-assessing vendor security practices on an annual basis to ensure they're complying not only with relevant regulations, but your organizational requirements?

Retaining Only Data that Serves a Business or Legal Purpose

Much of the data we store serves no business purpose. And because the CCPA dramatically expands consumer rights with the ability to request remediation of their data—and other copycat laws are on the way—it's best for many organizations to start enforcing retention policies to ensure meaningless (but nonetheless risky) data is deleted.

Keeping data with no business purpose drives risk for two reasons: breaches and litigation. Data you don't have can't be breached, and essential business practices can help mitigate risks from both litigation and the breach provisions of the CCPA and GDPR. And while the CCPA doesn't have a retention schedule for personal information, the GDPR does—meaning that companies can no longer simply keep all of their data for no reason. As we pass July 1 (the CCPA enforcement date), revisiting organizational retention policies—and enforcing them—is now necessary to ensure that rogue data doesn't pop up later on and create more risk.

One can list seemingly endless steps to mastering your data, but the four discussed above are among the most critical components to compliance. Organizations that work to tighten their processes will have a leg-up on those who don't.

 

Rebecca Perry is the Director of Strategic Partnerships at Exterro, the leader in helping companies manage their information compliantly and defensibly in compliance with data privacy and cybersecurity regulations like the GDPR, NYS DFS, CCPA and others. Rebecca has been with Exterro more than 25 years helping legal, compliance, privacy and IT executives in the areas of information governance, data mapping, data minimization, records retention and third-party diligence. She manages the Alliance Partnership with the Association of Corporate Counsel and builds strategic relationships with leading law firms.