Data Privacy: A convergence of Security, Compliance, and Conception
The complexity and dynamism are only increasing as data privacy laws propagate throughout the states. Currently only three states – California, Nevada, and Virginia – have passed privacy laws, but fully 23 are actively considering data privacy legislation. And while they share some commonalities, they have significant differences (and different again from the GDPR) that further complicate compliance for businesses targeting consumers covered by these regulations.
Where all these emergent data privacy regulations, consumer preferences, and business responses lead (Federal privacy law?) is a matter of speculation. But what is certain, is that the challenge to businesses both large and small are considerable.
Getting it Right
Each of these aspects of data privacy legislation – privacy preservation, compliance, and security – while bound up in data privacy law, are their own discipline and require specific expertise. Adding complexity and tension are the divergent perceptions of privacy across business disciplines as a function of their roles and responsibilities: marketing, advertising, InfoSec, legal and compliance, sales, human resources, business analytics, product development, et al. The current and prospective laws governing the use of data, which go further than the strictures of those statutes governing health (HIPPA), finance (e.g., Gramm-Leach-Bliley), and heretofore protections of personally identifiable information (PII), now require convergence of privacy conception across these disciplines.
Ultimately, to get this right, successful implementations must be comprehensive and designed-in from the start. Organizations will need to go “beyond compliance” and design privacy protections into their products, services, and every consumer touchpoint as well as guard against inappropriate aggregation internally.
That said, before an organization can “move beyond compliance” and embed concepts like privacy by design or incorporating privacy into go-to-market strategies, the first order of business is to ensure compliance (albeit a moving target) with data privacy regulations. But, as WireWheel’s Co-Founder and CEO Justin Antonipillai observers during his interview with theCUBE: “if you’re a company that’s launching and building your product…It really could become overwhelming…particularly smaller companies with limited resources, to manage
Privacy at Scale
If you’re trying to do the right thing, there should be a way to do it.
Most startups and smaller growing companies are resource constrained in terms of capital and resident expertise. Most certainly don’t have a privacy officer and they often don’t have a general counsel. For many it might be the chief marketing officer, COO or CTO that takes on data privacy oversite.
While state laws provide for certain thresholds to be met before companies are subject to the regulations, even small startups will benefit from adopting some basic compliance attributes as a first step towards customer-centric data privacy based on transparency and trust. Potential customers will appreciate it. Many in fact, will insist upon it and only do business with those companies that provide assurances that their privacy is protected.
Small businesses are not left behind in this regard. Just as Shopify.com changed the market-entry dynamics for SMBs, SaaS-based data privacy management programs can stand up a compliant customer privacy experience at the appropriate scale. Importantly, this can help ensure that new products incorporate privacy-preserving attributes at launch.
Seemingly overwhelming challenges, however, are not the sole province of small firms.
Interestingly, for larger companies, a core challenge is also one of scale. Namely, understanding how much data are owned; the nature of that data (especially PII and sensitive data); in what systems the data are stored (on premise, off premise, and across jurisdictions), how data are used, both customer- and vendor-facing as well as internally; and of course, protected from breach or improper disclosure.
When considered in the context of a large multinational organization and the entirety of their supply chain, B2B and B2C ecosystem, this too can seem an overwhelming challenge. Nonetheless, data discovery, classification, and data flow mapping are prerequisite to data privacy compliance and documenting that compliance when regulators come calling. Absent this understanding it would not be possible to assert that you are effectively protecting data and ensuring that it is being used in a privacy-preserving way in accordance with the governing regulations. Also, responding to Data Subject Access Requests (DSARs) in a compliant manner would be quite literally impossible. Here too data privacy-focused services provide solutions at scale to address these challenges.
Technology: Privacy Change Agent
The convergence (and clash) of technology, privacy, and law has a storied history.
Technology has been progenitor of change: an upstart that has engendered repeated privacy crises going back to the invention of the Kodak Camera which inspired the most influential Harvard Law Review Article of all time, The Right to Privacy, and has continued to harass privacy – and morph privacy conceptions – through to the modern-day equivalent of the Kodak camera – facial recognition algorithms and biometrics.
The law, as relentlessly (though necessarily thoughtfully and deliberately) slow as the advancement of technology is fast may finally be catching up. Perhaps even, with the GDPR-inspired passage of California’s CCPA, CPRA, Virginia’s VCDPA, and Nevada’s NPA (to say nothing of many others being considered in the U.S. and globally) the legal conception of privacy may be playing the tortoise to the adtech and data-industrial complex hare.
And here, when it comes to achieving compliance and beyond – for business both large and small – technology will be privacy’s ally.
 While not yet dead, as of 11 April the Washington State House failed to pass privacy legislation for a third time over disagreements regarding private right of action.
 For example, the CCPA provides that: “Businesses are subject to the CCPA if one or more of the following are true: Has gross annual revenues in excess of $25 million; Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; Derives 50 percent or more of annual revenues from selling consumers’ personal information.”
Suggested Blog Posts
Everybody views data privacy through a different lens: through your general counsel; through your technology team; or...
A lot of the way that we approach security can be applied to privacy. [Like] the methodology of ‘Defense in Depth.’...
Written by Rick Buck, Chief Privacy Officer, WireWheelRemember Do Not Track (DNT), the web browser setting that...
“Before I dive in into the specific predictions...[I just want to say that] I think that privacy professionals today...