While organizations work to reap the benefits of data, new challenges crop up as lawmakers around the world continue to enact new data privacy laws and update existing ones.
In 2021, more than 150 privacy-related bills were under consideration across 40 U.S. states, according to Scott Schlesinger, a partner at PA Consulting and the firm's North America data and analytics leader. There is a growing list of international laws, too, as organizations work to keep up with data compliance regulations.
While federal U.S. efforts to legislate data privacy are stalling, China passed the Personal Information Protection Law in August 2021, with the new regulations taking effect in November 2021. At a state level, Massachusetts is the latest to consider such legislation, with its proposed Massachusetts Information Privacy Act.
That proliferation of data privacy regulations has created considerable challenges for organizations, as executives work to understand and comply with the requirements each one contains.
"All that we needed to address in regard to legal requirements 20 years ago is still there, but now there's many, many more," said Rebecca Herold, CEO of The Privacy Professor consultancy and a member of the Emerging Trends Working Group with the IT governance association ISACA.
Companies that approach the task by working toward the requirements of each individual law independent of the others in a patchwork approach will quickly become swamped.
To do that, the following high-level elements are essential:
1. Top-level support
The volume of regulations as well as the fines for noncompliance have made the need for a solid privacy program a top-level business concern, Herold said. That means it should have the backing of the CEO and the board.
Their support for developing and maintaining a privacy compliance practice is essential, because those activities require ongoing funding, expertise and coordination among executives and their departments, Herold said.
"If you don't have support at the top, you're going to fail," she added.
Organizations must assign responsibility for data privacy to an executive, whether it's a chief privacy officer or another position. CEOs can't assume every functional leader will automatically do his or her part without someone being held accountable for the program's success or failure, Schlesinger said.
"It has to have someone at a senior level to be that champion, otherwise, quite frankly, these things die on the vine," he added.
At the same time, no single leader can -- or should -- be responsible for all the required work, Schlesinger said. A successful data privacy program needs the leader who owns accountability to collaborate with all the stakeholders (i.e., functional executives, the legal department, IT and security) to ensure that the policies are comprehensive, controls are in place and they're consistently applied throughout the enterprise.
3. A complete accounting of what impacts the organization
A team of leaders must then identify and understand the laws, regulations and internal policies that govern their organization's data privacy obligations, Herold said. This is more complex than it seems, as organizations often must follow multiple regional, national and state laws in addition to industry-specific laws (such as HIPAA) and other rules.
4. Attention to breach notification requirements
On a related note, all organizations should identify the breach notification laws they would need to follow in the event of a successful hack and understand the different requirements of each law, Herold said.
"They're all worded differently," Herold said, noting that there are more than 50 U.S. federal and state breach notification laws. For example, she said different states have varying definitions for who constitutes a resident and have varying timelines for how quickly they make notifications.
Enza IannopolloPrincipal analyst, Forrester Research
5. A full accounting of data
Similarly, organizations must know what data they have, where it's coming from and where it's held, said Enza Iannopollo, Forrester Research principal analyst. This task is also easier said than done, because organizations can easily overlook data stored in old files and legacy systems.
Organizations must also consider how data flows to and from third parties and vendors, because they face obligations to protect the data they gather and share with others under some of the privacy laws.
"Privacy is all about understanding the data," Iannopollo said. "You can't start to be in compliance with data-based laws and regulations if you don't even know all the data you're collecting, storing, processing and sharing."
6. A framework
Given the number of laws, and the variations among them, organizations should leverage frameworks to help them organize their data privacy compliance programs, Iannopollo said.
Eighty-four percent of respondents do indeed use a framework, law or regulation to manage privacy in ISACA's "Privacy in Practice 2022" survey. The top five frameworks and regulations used to manage privacy for respondents' organizations are the following:
- the European Union's GDPR (50%);
- the NIST Privacy Framework (47%);
- ISO/IEC 27002: 2013 (40%);
- COBIT (26%); and
- ISO/IEC 27701 (25%).
7. Attention to maintenance and updates
Lawmakers are regularly updating existing regulations and adding new ones, so organizations must have processes for updating their own privacy compliance programs to ensure that they align to current requirements, Herold said.
"That's the biggest challenge once you get your program established," she said. "But if you do it in a thoughtful manner and maintain it on an ongoing basis, that will bring you benefits. Then you don't have to play Whack-A-Mole [and wonder] what regulations you have to follow today."
Frameworks are useful with this exercise, as are privacy management software programs and governance, risk and compliance digital tools, Iannopollo said.
8. Identified potential points of failure
Data privacy programs aren't foolproof, as both internal and external factors can create potential points of failure, Schlesinger said. Executives can't eliminate all risks, but they can effectively manage them by identifying, prioritizing and mitigating them based on risk-reward calculations.
Consider, for example, how the hybrid work environment could affect privacy processes that work well for in-office workers but may not be as enforceable for at-home employees. Also consider how enabling partners to work with data can ensure speedy services for customers and can create compliance failures if any of their vendors have substandard privacy policies or suffer a breach.
"Make sure all the internal, external, cultural and political factors that could derail your program are addressed," Schlesinger said.
9. Alignment between what organizations do and what they say
Organizations increasingly share details about how they use and protect data -- frequently doing so because data privacy laws require it, Herold said. Yet she has worked with many companies whose publicly stated policies are different from what they actually do -- a discrepancy that can earn them hefty fines. Her advice is simple: Make sure the two align.
10. A strategy to use privacy policies for competitive advantage
Research shows that consumers have increasing expectations for the organizations they entrust with their data, Iannopollo said; they want to see those entities keep their information safe and use the data in respectful ways.
Companies should view that as an opportunity. Entities that are seen as leaders in safeguarding consumer data and are transparent about how they use it generally engender customer loyalty, Schlesinger said.
"It can lead to a long-term competitive advantage, turning that data compliance challenge into an opportunity," he added.