By Jodi Daniels
During a very busy 2019, we in the privacy community celebrated the EU’s General Data Protection Regulation’s (GDPR) first birthday and readied organizations for the California Consumer Privacy Act (CCPA). However, 2019 also featured large-scale data breaches and a growing lack of trust regarding data privacy security. As we wind down the year, we are looking forward to many data privacy developments in 2020—including the biggest 2020 milestone, the CCPA, going into effect on New Year’s Day.
Below are some New Year’s resolutions to help you, as a Chief Information Security Officer, prepare for data privacy not only in 2020 but also in the new decade.
1. Know what data your organization is collecting.
As a CISO, it is your responsibility to understand exactly what data your organization collects from your customers. Are you collecting their browsing information each time they visit your website? Are you collecting their name, email, and address each time they make a purchase? It is pertinent to understand the exact personal data collected from your customers because, under the CCPA, they have the right to request the categories of personal information collected about themselves and the categories of sources from where the information is collected.
2. Know what your organization does with the data it collects.
It is not only important to understand what data your organization collects but also why you collect the data and what exactly you do with the data. Under the CCPA, individuals have the right to opt out of the sale of their personal information. It is especially important to evaluate whether your organization sells personal information and if selling that information is necessary. Under both the CCPA and GDPR, individuals can request to be told how their personal data is disclosed and to whom. This is another reason why, as the CISO, you must know exactly where data goes after it is collected and whether it is disclosed to third parties.
3. Know where data is stored and for how long.
Data retention policies should have a legal basis and business necessity. Otherwise, organizations should not keep data for an extended time period and only keep data that it actively uses for the original business purpose communicated to the user at collection or for a legal purpose.
1. Know under which regulations your organization falls.
One of the top CISO priorities should be ensuring your organization’s compliance with privacy regulations. Many organizations fall under both the CCPA and GDPR because they do work or have customers in the EU and California. Ensure (or work with the privacy team to ensure) your organization is taking every step to comply with any relevant data privacy regulations.
2. Understand what compliance looks like under those regulations.
In the CISO role, it is important to understand data privacy regulations and what compliance for your organization looks like. What are the steps your organization must implement to achieve compliance? What are the existing gaps between your current business operations and what they need to be in order to achieve compliance?
3. Appoint a team of experts to maintain your organization’s privacy regulation compliance.
Delegating compliance to a team of experts will help your organization maintain compliance and implement continuous changes as data privacy regulations change and grow.
4. Look ahead to what’s next.
Several data privacy regulations are in the works and several states are evaluating data privacy laws. Keep the following regulations within your purview next year.
1. Evaluate whether your organization sells data, or not.
The definition of “selling” is quite broad under the CCPA. As mentioned under Data Resolutions, it is critical to evaluate whether your organization sells personal information and if it is necessary to do so. Under the CCPA, individuals have the right to opt out of the sale of their personal information, and both your organization and all third-parties that bought your information must honor the individual’s request.
2. If your organization sells data, assess whether it actually needs to sell personal information.
It can be an arduous process to delete personal information from purchased information, notify all third parties to also delete that personal information, and ensure that the request to delete data is thoroughly completed.
3. List all third parties that purchase sensitive data from your organization, and then determine whether it is necessary to sell data to them.
If possible, it is best to completely stop selling data. For most organizations, selling data is not worth the effort of honoring opt-out requests.
4. Look at what data you collect from third parties and evaluate whether you can collect that data directly from the customer instead.
Is there personal information necessary for your organization’s operations that you can collect directly from the customer instead of pulling the data from third parties? If so, it is best to collect directly from a customer for a few reasons.
1. Ensure that your customer’s privacy is protected and secure.
Even if your organization does not fall within the scope of a data privacy regulation, you should still implement privacy safeguards in order to protect your customers’ privacy. Customer privacy should be a top priority as a CISO because it not only protects your business from unwanted privacy risks but also increases the trust of your customers.
2. Make sure that your organization is able to honor customers’ individual rights requests.
Several of the existing data regulations such as the CCPA and GDPR outline specific rights that you must provide your customers.
Under GDPR, individuals have the right to:
Under the CCPA, individuals have the right to:
3. Make sure you are only collecting necessary data from customers, and for good reason.
Under the GDPR, your organization must specify a legal basis for collecting personal information from a customer. As CISO, you should implement this philosophy across all data collection. Personal data should only be collected for a necessary organizational purpose. Also, personal data should only be processed and retained for the original collection purpose. If your organization is processing data for other purposes (unless exempt), then you are not in compliance with the CCPA or GDPR.
4. Increase transparency about your data collection with customers.
Increased transparency with your customers will increase their loyalty to your business. Customers want to know what information you collect, why you collect it, and how you use it.
1. Provide proper training for your employees who work with personal data and data requests.
It is important to provide your employees the proper tools to help them handle personal data and process data requests. For both the CCPA and GDPR, training is also a requirement for any employees who handle personal data. If your business does not already prioritize training, then this is a great initiative to start in the New Year!
2. Ensure that your organization properly implements technical and organizational security measures around data privacy.
Organizational and technical safeguards are important measures to take when protecting data privacy. Proper organizational safeguards include training, password policies, and need-to-know access. Proper technical security measures include encryption, network authentication, and access control lists.
3. Partner with other departments in your organization to share data privacy responsibility.
As CISO, data privacy is your priority and it comes with several responsibilities. I encourage CISOs to share that responsibility with a team of data privacy experts to ensure that nothing is missed, especially when data regulations apply to your organization. It is pertinent to protect your employees and customers’ privacy, and customers expect that protection. Partnering will benefit your organization by helping you apply the best security for your customers’ privacy.
CISOs hold a very important role in an organization, and this role grows more important with GDPR in full effect and the CCPA going into effect on January 1, 2020. As a CISO, you must make sure your organization is in proper compliance with any data regulations that apply to your organization. It is also your responsibility to protect your customers’ data privacy, which has the benefit of increasing their loyalty to your organization and helping your business grow.
Privacy is in its infancy stage in the US as GDPR enters its second toddler year. Companies going above compliance, that have built a scalable privacy program as a foundation, will position themselves to embrace any new privacy laws that legislators will inevitably pass as well as prepare their companies for new advanced data uses. Customers currently expect and will continue to expect a strong privacy posture.
As another big year for data privacy, 2020 will likely introduce several new regulations currently on the horizon that will possibly go into effect. Make sure your organization has the tools to address these new regulations and build a foundation for the next decade! Happy New Year!