9 Ways to Jump-Start a Data Privacy Program
With new data privacy regulations going into effect across the globe, small and medium-sized businesses struggle with addressing them effectively. This blog recaps nine key components you should include in your organization’s data privacy program.
#1: Familiarize Yourself with New Data Privacy Regulations
Most organizations don’t realize that data privacy regulations apply to them based on where their consumers are located. If you do business with consumers in the U.S. states of California and Virginia, for example, you need to be aware that new GDPR-style data privacy regulations took effect on January 1, 2023. The states of Colorado, Connecticut, and Utah will follow suit by the end of 2023. You must update your compliance footprint to account for any jurisdictions where you have consumers, to comply with regulations like the General Data Protection Regulation (GDPR) in the EU and UK GDPR in the United Kingdom. Each of those regulations has its own unique requirements, so it’s helpful to confirm whether the regulations apply to you.
#2: Keep Your Company’s Privacy Policy Up-to-Date
A good way to start your program – no matter where your company does business – is to update your company’s data privacy policy. Key drivers for updating your privacy policy include:
- Government entities have become more vigilant about the enforcement of data privacy regulations: A high-profile example was the California Attorney General’s office announcement in August 2022 that cosmetics retailer Sephora would pay $1.2 million in fines as a result of its California Consumer Privacy Act (CCPA) violations.
- It’s a consumer-friendly business practice: According to research by digital technology provider Cisco, up to one-third of consumers can be considered “privacy actives” who have stopped doing business with a particular organization based on its ineffective data privacy practices.
- Mergers, acquisitions, and entry into new business markets may have resulted in obsolete policies: Mergers and acquisitions can result in privacy policies that are misaligned with current business practices, and entry into new business markets can expose your company to data privacy regulations that may not have pertained to your organization before.
Your goal should be to update your data privacy annually to conform to new requirements.
#3: Know That Data Privacy Begins With Your Website
Because of its convenient access to consumers, your privacy policy is extremely prominent to customers, competitors, and even regulatory agencies. So, it’s in your best interest to always keep it up-to-date. But, what’s the best way to accomplish that?
With solutions such as Egnyte’s Data Privacy Policy Generator, you can create a data privacy policy that can easily be linked to your company’s website. By updating the policy on a routine basis, your customers will be consistently presented with an up-to-date privacy policy, and regulators will see that you take data privacy seriously.
#4: Build a Data Map and Automate Data Mapping
Data mapping is a process to inventory personal data stored in your business systems. A data map is an essential component of almost every existing data privacy law, and it’s anticipated to be a key requirement for future legislation. Data mapping is a foundational step for the fulfillment of all legal requirements under privacy laws, such as:
- Responding to a Data Subject Access Request (DSAR).
- Conducting Privacy Impact Assessments (PIAs).
- Maintaining records of data processing activities (RoPAs).
Note that data maps can also be referred to as data inventories, an Article 30 assessment (under GDPR), or as Personally Identifiable Information (PII) disclosure (under the CCPA). However, the concept is the same; you need a thorough record of the data processing that your company conducts. We’ll explore PIAs more closely in the next section.
#5: Conduct Privacy Impact Assessments
According to the United States Department of Agriculture (USDA), a privacy impact assessment is defined as follows:
“...an analysis of how personally identifiable information (PII) is handled to ensure compliance with appropriate regulations, determine the privacy risks associated with information systems or activities, and evaluate ways to reduce the privacy risks.”
Once you’ve mapped your organization’s data, your goal is to identify PII that your company is currently collecting, assess overall risk, and put a policy in place to improve its collection. This is an important step because PII is extremely attractive to potential cyber-attackers and critical to organizational users and consumers. You can learn more about best practices to protect PII in this PII protection guide.
#6: Have a Plan in Place for Authorized Agents
Authorized agents are organizations that have the authority to submit DSARs on behalf of consumers. Examples include SayMine, Optery, and Incogni. As consumers become more vigilant about data privacy, you can anticipate that the use of authorized agents will increase. As such, you need to have a detailed plan to address the growing volume of DSAR requests from authorized agents, particularly as the number of regulations grows.
#7: Understand That Cybersecurity and Data Privacy Are Intertwined
High-profile data breaches that involve the exposure of consumers’ PII and/or Protected Health Information (PHI) have resulted in companies re-evaluating why cybersecurity and data privacy teams haven’t worked more closely together in the past.
Organizations now realize that IT Security champions should be engaged in data privacy projects for the following reasons:
- It’s important to have a single view of risk across your organization.
- Cyber-attackers are looking to exploit weaknesses in both areas.
- A lack of effective IT Security controls- such as Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR), and cybersecurity awareness and phishing training -have a strong correlation with the likelihood of data breaches.
#8: Complete Vendor Assessments and Attestations, and Update Your Contracts to Align with New Data Privacy Requirements
Here, your goal is to improve the security of your company’s digital supply chain. In the past few years, organizations have learned that they are only protected as well as their supply chains. Quanta Computer Inc. is just one example.
You need to assess how well third-party vendors manage your consumers’ information and have the vendors attest that they have the systems and controls in place to protect your- and your end-consumers’- data and business interests. All business contracts with key suppliers should incorporate provisions for data protection.
#9: Continually Assess Your Progress
Remember to track your progress on the various stages above to standardize your processes for each new regulation that comes into effect.