The regulatory tsunami that began with the European Union (EU) General Data Protection Regulation (GDPR) continues in the United States (U.S.) with the California Consumer Privacy Act (CCPA). A US Federal privacy law also looms large on the regulatory horizon. Including Singapore Personal Data Protection Act 2012 (PDPA), Brazils’ LGPD, around 120 countries across the globe have adopted some form of data protection regulation and 40 more countries have pending regulations and are in the process of enforcing them. The wave of data protection and security is not limited to the EU or the U.S., it is quickly becoming a priority initiative across the globe. To avoid costly fines, legal battles and reputational damage, businesses must start strategizing and operationalizing their data privacy programs now.
The impact of privacy regulations is being felt in the EU and U.S. with several high-profile companies currently under scrutiny. Regulators caution that organizations should expect to see an even higher level of scrutiny on privacy practices going forward. Companies are also faced with data identification and protection risks resulting from data breach laws. When these laws go into full effect, individual residents will gain the legal right to demand transparency in how companies collect, use, process, share and sell their personal data. Individuals will also receive new rights to access and receive information in a usable and transferable format, and request deletion of their data, among others.
For every customer request, companies will have limited time stipulated by these regulations to respond and deliver the information about the customer. This response will require an organization to retrieve a customer’s personal information (PI) and link them to a different application and business processes to understand the specific personal data used. It will also require businesses to detail the type of data shared, the purpose of sharing and the categories of sources from which the PI was collected. Identifying and mapping out this data is time-consuming and burdensome, given the large population and even bigger volumes of data across siloed repositories.
In addition to responding to the requests from individuals on their newly acquired rights, organizations also have other obligations as stipulated by these regulations. A few of these include reporting to regulators on the processing of personal data and the legitimacy of such processing, instituting adequate data security measures, consent management and notification of data breaches to authorities and individuals within a very short span of time (within 72 hours for GDPR). Handling of sensitive personal data (religious and political affiliations, sexual orientation etc.) and PI of minors is regulated with stricter provisions in these regulations.
Bracing for the storm of stricter data regulations
Enterprises around the world need to start assessing, preparing and implementing compliant data management systems or risk reputational and financial damages from fines, penalties and lawsuits, and a corresponding lack of consumer trust.
Preparing for these upcoming data regulations involves more than just improving how businesses discover, classify and manage their data. Organizations must also operationalize how they respond to the deluge of customer data requests. They need to establish a culture of data protection and privacy across their organizations with an underlying legitimacy of processing.
Simply put, in an era of stricter scrutiny over how data is collected, processed and used, companies need to have a comprehensive, intelligent and sustainable data privacy strategy. It requires a complete data landscape assessment and an automated approach to discover and organize data across siloed repositories. It also requires a data governance framework and leading technology solutions to operationalize and automate data requests from customers and reporting to regulators. Lastly, companies need a strategy and roadmap for their ongoing requirements of regularly monitoring and tracking data flows.
Comprehensive data privacy management solution
At Accenture, we recommend combining Data Discovery along with the innovative Knowledge Graph, Data Privacy Impact Assessment (DPIA) module, and Privacy Portal technology, to deliver an intelligent, end-to-end approach for managing customer data and reducing compliance complexity.
The seas of stricter data regulations will only get rougher. But a comprehensive, strategic and sustainable data privacy program will enable enterprises to weather the storm of rigorous data protection compliance.