In an informative Q&A roundtable with Risk & Compliance Magazine, Navigant Directors Joseph Campbell and Kathryn Rock discuss data analytics and data privacy.
Could you provide an overview of data privacy trends unfolding across the globe? What have been the overarching developments of the past few years?
Joseph Campbell: Countries and their citizens recognize the critical importance of information privacy. Compromised personal data is exploited by malicious actors to victimize individuals through financial and identity fraud and used against countries’ economic and national security interests. Data compromises include breaches such as the 2015 identified cyber penetration of the U.S. Office of Personnel Management. Other noteworthy data breaches include Marriott Starwood Hotels, Quora, Google, and T-Mobile. Beyond the European Union’s (EU’s) General Data Protection Regulation (GDPR), approximately 80 countries have instituted data privacy laws, including the U.S., through laws such as the Health Insurance Portability and Accountability Act and the Driver’s Privacy Protection Act of 1994. Only California has passed a specific consumer privacy law, the 2018 California Consumer Privacy Act (CCPA). Many other states are considering the passage of similar laws. Colorado and Iowa have already strengthened their protection of consumer and student information, respectively.
How would you describe the impact of two key pieces of legislation – the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)? To what extent are these privacy laws shaking up how companies collect and process data?
Kathryn Rock: As a result of both the GDPR and the CCPA, companies must be more transparent and assume more responsibility regarding the collection and processing of any consumer personal information. Companies need to understand the consumer data they collect and have in their possession, along with the various ways it is used, including any interactions with third parties. Companies are being held accountable for how they interact with personal information and that has translated into adjustments to their business processes related to data collection and use, particularly as both pieces of legislation allow for financial penalties to be levied on any companies found to be in violation. Particularly, the CCPA’s private right of action explicitly allows consumers to seek damages for any violations of the CCPA, which exposes companies to both civil penalties levied by regulators and damages paid directly to consumers.
How would you characterize the growing intersection between data analytics and data privacy? In your experience, do companies tend to underestimate the data privacy implications of conducting data analytics?
Joseph Campbell: Data is power and drives today’s businesses. Companies are investing in technologies to collect and process consumer information to benefit product development. Companies should build governance around data privacy, including the development of an information or cybersecurity program capable of ensuring that data is properly inventoried, stored, encrypted, and monitored to detect internal or external hacking threats. They should demonstrate a commitment to a culture of compliance, driven by top executives through messaging and example. Companies should develop a data privacy team responsible for answering privacy requests and create an audit function to ensure that the company maintains compliance with data privacy laws. Employees should be trained on the laws and their responsibilities in executing procedures to comply with the laws. Companies must also focus on their ability to respond to data leaks, penetration, and hacking, in compliance with local laws using a response framework, such as the National Institute of Standards and Technology framework, which includes preparation, detection and analysis, containment, eradication, and recovery.
Kathryn Rock: Any new technology should be nimble, considering the numerous data privacy laws being enacted or proposed worldwide. Beside assessing if all collected and stored data is necessary, companies can take many steps to manage privacy considerations and risks while implementing technology and utilizing data analytics. There are a number of issues companies should consider, the first of which is governance. They should create or update data privacy governance structures and committees to develop or implement strategies for compliance with laws, including the potential inclusion of a chief privacy officer. Companies should also consider policies and procedures. This will require them to develop or update policies and procedures to ensure compliance with existing regulations and implement a robust change management process to account for any new or changing regulations. Training must also be a consideration. Companies must establish and update training program to include applicable policies and procedures, including identifying impacted individuals for training. Finally, companies must consider data security. They should review existing data security infrastructure and enhance the organization’s ability to respond to security breaches, in compliance with laws.