“There are different approaches that these institutions can apply in responding to emerging privacy regulations, depending on their risk appetite as well as the level of pre-existing capability built up through prior compliance efforts.”

In the previous blog in this series, we discussed some of the capabilities and controls needed for a robust data privacy program.   

However, financial services firms should keep in mind that new regulations may expand protections even further, such as the California Consumer Privacy Act’s (CCPA) provision for right to equal service for consumers and obligations to direct suppliers to dispose of eligible information in the event of a “right to erasure” request. There are different approaches that these institutions can apply in responding to emerging privacy regulations, depending on their risk appetite as well as the level of pre-existing capability built up through prior compliance efforts.   

Naturally, there are pros and cons associated with each approach. For example, firms can implement responses strictly for in-scope data subjects.  This approach, with its narrower scope, provides greater transparency to return on investment (ROI) and may increase the firm’s chances of reaching compliance with both the letter and the spirit of a specific rule.   

On the “con” side, this approach may be less efficient as additional federal and state guidance comes onstream, and it carries the potential for resulting in an uncoordinated “patchwork” of compliance efforts without standardization or integration.   

Another approach is for firms to enhance their data privacy model and align it with regulation stating the most exacting standards.  This provides an opportunity to re-use prior enterprise capability development (such as that created for the New York Department of Financial Services, General Data Protection Regulation (GDPR), and other initiatives), and generate efficiencies from new capability build, adopting a “build once, solve for many” approach.  

The drawbacks to this approach include the potential need for re-work, as federal and state guidance continue to change, and the potential for challenge from internal stakeholders and third parties to performing compliance tasks that are not directly applicable to present regulations. 

Our experience in supporting financial institutions on their journey to GDPR compliance has provided valuable lessons in the areas of scope and implementation.  In the sixth and final blog of this series, we will look at the pros and cons of addressing regulation within a broader “Consumer Rights” program and will conclude with some observations about effectively implementing CCPA programs. 

Please contact me if you have questions or wish to discuss this subject further. 

Submit a Comment

Your email address will not be published. Required fields are marked *