Other parts of this series:
In the previous blog in this series, we looked at how companies can assess and evaluate key capabilities needed to respond to the new California Consumer Privacy Act (CCPA), which is scheduled to go into effect in July 2020.
In this blog, we will examine how companies can leverage capabilities and controls already in place. Many institutions in the U.S. have put structures in place to respond to large-scale regulatory initiatives stretching back to the Gramm-Leach-Bliley Act (GLBA) and more recently the New York State Department of Financial Services (NYDFS) and the General Data Protection Regulation (GDPR). Many of these structures can be repurposed to proactively build stronger client relationship, with an emphasis on five core capabilities:
- Privacy Operating Model and Program Governance. Following the lead of the GDPR, many financial institutions are either establishing a position in the organization that is responsible and accountable for consumer rights and data privacy, like the data protection officer (DPO) or the chief privacy officer (CPO) role or raising the stature of these existing roles and conferring upon them the authority to highlight risks and make required changes across the organization. Such decisions should be taken in accordance with the organization’s privacy risk appetite.
- Data Discovery and Classification. The discovery, inventory and classification of personal information is a significant area of focus of any privacy program given the specific guidance of various regulations. Scanning should be automated and at scale with fit-for-purpose tools that can access both structured and unstructured data sources, leveraging existing technologies or supplementing with accelerators from the market. Implementation of data discovery and classification tools can be complex due to the multitude of architecture patterns and platforms on which data can reside, which in turn may necessitate prioritizing the discovery of certain sources while, in parallel, preparing for the discovery of more complex areas in subsequent sprints.
- Process Design and Implementation. Processes should be designed to manage all client requests related to privacy through to completion, such as access to information, opt out or erasure requests. Navigating the data supply chain across multiple third parties whose risk appetite, controls, and maturity may not match those of the financial institution is a key area of complexity, though persistence in closing out negotiations to update contract language and even to weigh the sustainability of certain relationships going forward is key.
- Technology. In addition to data discovery, capabilities should be leveraged to protect personal data across applications, workstations, servers, and the data supply chain in accordance with the overall privacy strategy. Identifying the remediation of legacy applications that may not support deletion, anonymization or other regulatory expectations is a key priority to support compliance, potentially requiring the adoption of more manual compensating controls in the short term, as a precursor to more strategic change.
- Training and Awareness. Investments in technology cannot prevent major lapses and large fines if not accompanied by updates to policy and procedure, along with the necessary training around such changes to build a culture of awareness and respect for consumer rights and data privacy. Training should take place at two levels: first, at the enterprise level, to build awareness; and, second, in the form of role-based guidance for front-line staff handling consumer inquiries, such as consumer contact teams, social media specialists or those managing online platforms.
In the next blog in this series, we will look at some of the capabilities and controls for a robust, comprehensive privacy program.
To find out more about the CCPA please contact me.