Does My Company Need A Data Privacy Program?
Companies are required to demonstrate regulatory compliance - even if no violation has occurred. That means, a privacy program or at least a basic one. While having a full-scale "gold standard" compliance program is not practical for every company, having the GDPR basics covered in the event of a data breach, an audit or to answer a customer's privacy rights request is an absolute must.
More and more, companies are being asked to demonstrate compliance with data protection laws as a condition of being awarded business. This is due to the rising profile that privacy compliance has with risk management teams as data breaches have become a matter of consumer confidence.
Things like the General Data Protection Regulation (GDPR) are no longer conversations just for lawyers and privacy professionals. In the U.S, we don't have a national law (yet) but the California Consumer Privacy Act (CCPA) was the first to pass but not the last. Virginia passed the Virginia Consumer Data Privacy Act (VCDPA) and Colorado passed the Colorado Privacy Act (CPA) which both have enforcement dates beginning in 2023. Add to that many international laws like, Brazil's LGPD, China's PIPL and Canada's PIPEDA, to name a few.
So how does your company prepare for this? You have multiple jurisdictions to consider and some that are yet to be defined. Trying to satisfy all of these different countries data privacy regulations (with more on the way) without a plan is going to create unmanageable complexity very quickly. Having a Privacy program management plan is key to navigating data privacy compliance while maintaining your business agility.
What Does A Data Privacy Program Look Like?
Every program is different. For a multi-national, it looks like teams of people coordinating with IT, HR, Business and Legal led by a Data Protection Officer (DPO). For small and medium size businesses, it's some combination of a small group of domain representatives and/or some outside advice. No matter your company's size, from a high-level, most data privacy programs will involve these areas.
This all adds up to demonstrable compliance. It isn't enough to be able to say or show you've done nothing wrong. Many global privacy laws require your company to be able to demonstrate compliance during a privacy audit. This is the new standard for data privacy.
Privacy Program Development FAQ
This is actually the most common question and a really understandable one. The regulations are complex and everchanging. The place to start is understanding which laws apply to your company, an understanding of what data you have and where it comes from. If the answers are "several laws spanning several countries" and "we have a lot of data from a lot of different sources" your next right step is probably to determine if you have someone who can dedicate significant time getting up to speed on the privacy landscape. If not or not quickly, advice is a good idea.
We do not charge for an assessment. We're happy to discuss your company's profile and point you toward resources or offer our services.
Yes, yes or both. Our team is ready to lead development, be outside data privacy advice or deliver a starting point program that your team can build upon. No two company's needs are the same. We will tailor our services to meet your company's need.
Great question. This really depends on where you do business geographically and what tech/services you're using. If you're moving data across international borders, it is best to get technical strategic advice and sometimes legal advice.
There are several fronts on which data privacy is achieved. To name a few: physical, cryptography, data acquisition strategy, privilege management, information security, compliant processes, training, leadership investment, vendor management... and this list goes on. The bottom line is by understanding the importance privacy plays in protecting your brand and investing in a plan that won't limit your business agility.