Other parts of this series:
- The Challenge and the opportunity of the California Consumer Privacy Act
- Designing a comprehensive data privacy and security program
- Meeting California Consumer Privacy Act requirements with existing capabilities
- Capabilities and controls for a robust data privacy program
- Privacy Regulations: What approaches are emerging from financial services?
- Addressing privacy regulation within a broader “consumer rights” program
In the previous blog in this series, we looked at the pros and cons associated with two different approaches to regulatory programs such as the California Consumer Privacy Act (CCPA). The first is a response designed strictly for in-scope subjects, and the second is the enhancement of the data privacy model so it aligns with regulation stating the most exacting standards.
There is, however, a third approach, one based on addressing regulation within a broader “consumer rights” program. This approach allows organizations to stand in the shoes of their customers or consumers, leveraging regulatory-driven change as an opportunity to differentiate in the market while preparing for compliance.
Cons of this approach include the complexity of gaining enterprise collaboration and alignment, especially when securing the sponsorship for investment over and above that required for a more tightly defined scope.
There are some practices which firms can find useful no matter what approach they take. Key examples include the importance of operating in a truly cross-functional manner across the organization, reflecting the scope of new requirements and the opportunity to allow the first line of defense to assume its role, owning privacy risk in a new regulatory era of consumer rights. Another learning from our work on General Data Protection Regulation (GDPR) is the opportunity created for organizations to adopt a consumer perspective that focuses on allowing key use cases such as “right to access” and “right to erasure,” rather than building an application-by-application view that can take more time to identify and understand interdependencies.
As we mentioned at the beginning of this series, CCPA is one of the most comprehensive and far-reaching new privacy rules. It presents financial services institutions with challenges, but CCPA is also an opportunity to create more transparent and trust-based relationships with clients by taking a holistic approach that goes beyond mere compliance and security concerns and allows them to create differentiated outcomes.
Please contact me if you have questions or wish to discuss CCPA in more detail.