Other parts of this series:
Confirming the desired objective of the privacy operating model – compliance versus broader transformation
This is Part 2 of a four-part series that aims to help privacy officers revisit their current privacy operating model and assess whether it delivers the value expected by key stakeholders. Part 1 explored the important elements that make a privacy operating model effective in delivering value.
The evolving privacy regulatory landscape, propelled by the General Data Protection Regulation (GDPR) and now compounded by the California Consumer Privacy Act (CCPA), redirected the privacy operating model from being focused on compliance to putting individual’s rights front and center.
Figure 1 shows that over the last 10 years there have been three waves of privacy regulations:
- National regulations enacted to address country and industry specific concerns (e.g., outsourcing by the financial institutions)
- State-based regulations, including the 23 NYCRR 500, mandated the requirements to establish an effective information security program
- Individual rights gained more prominence and have been central to the GDPR, CCPA and upcoming U.S. state regulations
These waves were initially driven by technological advancements and the need to move personal data across the globe. Safeguarding the data became the norm set by regulators. Yet, safeguarding the data has never been enough. The indiscriminate use and sharing of personal data beyond the purpose it was originally collected stirred emotions among individuals and legislators in Europe, California, the other U.S. states, and virtually the rest of the world, putting individual rights at the center of privacy regulations.
Figure 1 – Evolving Focus of Privacy Regulations
How are organizations responding to the evolving privacy regulatory landscape?
We still see organizations that are struggling to build a defensible privacy program. Typically, the areas that organizations find challenging include:
- Over or indefinite retention of data. The legacy of retaining personal data to anticipate future needs (e.g., claims, litigation, and accounts review) became a real challenge for organizations that plan to implement a working data retention and disposal policy. This is because of the sheer volume of data that has been retained and stored across multiple locations over the years. Privacy regulations require organizations to have a valid reason to retain data, including legal obligation, contractual provision, and valid business needs. From a CCPA perspective, it is critically important to have a legitimate basis for retaining data in case a business finds itself having to deny a consumer’s deletion request (e.g., further data retention is required to comply with legal obligation).
- Data shared with third parties. First, inventorying the personal data that is shared with third parties has proven to be a formidable task. Second, once the inventory is completed, performing a “lookback review” of existing contracts with third parties coupled with potential renegotiation has been tedious and time-intensive. Under the CPPA, a business that receives a verifiable request from a consumer to delete personal information is also required to direct any service providers to delete the data from their records.1
- Data discovery. Knowing the type of personal data held and its exact location within an organization is key to responding to individual requests, including having access to the data, making corrections to it and even deleting it. The data discovery exercise is complicated further when an organization has to account for unstructured data that is hosted in emails, text files, images and video files. Many organizations, at a minimum, have conducted data discovery manual surveys. However, our experience indicates keeping the data inventory up to date is challenging, hence, organizations opt to automate their data discovery and its maintenance.
Some organizations that have already met the bare minimum compliance requirements maintain the status quo of their privacy program for pragmatic reasons, including due to resource constraint or other business priorities. Many organizations that we work with are strategically investing to enhance their current privacy program and to align with peers and be industry competitive.
Privacy Program Maturity Journey
Organizations are faced with key decisions regarding the level of transformation they seek in their privacy programs given the appetite to gain consumer trust. With 80% of consumers highlighting trust as a key driver of brand loyalty,2 organizations should calibrate their response to privacy regulations between two ends of the spectrum:
- Changing for compliance purposes – meeting the regulatory needs
- Transforming to compete on trust – viewing regulation as a platform for further industry competitiveness
Setting the right path for the organization in response to privacy regulation is a key near term priority and requires concerted action across lines of defense. Large private sector firms risk losing an estimated $5.2 trillion in value creation opportunities in the next five years if erosion of consumer trust persists.3
Figure 2 below expounds on a potential privacy program maturity journey that an organization can undertake. The transformative journey goes beyond mere compliance with the regulation. The organization is not limited by the letter of the law and goes beyond the spirit of the law. In instances where the law does not prescribe, a transformative organization navigates the gray areas through a set of values and ethical considerations when using personal data in pursuing its business interest.
Figure 2 – Privacy Program Maturity Journey
In the next blog, we will discuss shifting privacy responsibilities from the second to the first line of defense and the motivation behind this. We will also explore the various role scenarios for privacy program leadership and oversight within organizations.
- “California Consumer Privacy Act of 2018 [1798.100 – 1798.199]” California Legislative Information. Access at: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5.
- “Brand Trust Is Becoming More Important: Here Are Some Key Stats And Themes,” Marketing Charts, July 10, 2019. Access at: https://www.marketingcharts.com/brand-related/brand-loyalty-109127.
- “Securing the Digital Economy: Reinventing the Internet for Trust,” Accenture 2019. Access at: https://www.accenture.com/_acnmedia/thought-leadership-assets/pdf/accenture-securing-the-digital-economy-reinventing-the-internet-for-trust.pdf.