Just when one privacy law is passed, another is updated, overhauled, or expires in committee.
Regulatory changes elicit a technological domino effect. Chief data or privacy officers are there to interpret the laws, while CISOs have to ensure their structures meet the laws' new standards. Depending on a privacy program's maturity, companies will have an easier or harder time adapting.
For some companies, privacy programs need to take a few steps back and find out what data they even have.
"Even though I always encourage clients to start the discovery process manually, and get a feel for the complexity within their data, it becomes evident quite fast that there is a need for automation to deliver scale," said Nader Henein, VP analyst at Gartner, while speaking at the Gartner IT Symposium/Xpo Americas Tuesday.
Conquer the basics
Data governance is the primary building block for privacy programs — it's also never-ending. Organizations deploy operational privacy programs in three stages:
- Establish: The foundational stage of a privacy program, it includes discovery, risk mapping, data retention, notice and policy, cookie management, and subject rights management.
- Maintain: Combining existing capabilities with automation, this stage consists of measurement and reporting, privacy impact assessment automation, incident response augmentation, and data residency.
- Evolve: The third stage includes data masking and tokenization, data lifecycle governance management, data end-of-life controls, and privacy engineering for DevOps. Evolve "focuses on specialist capabilities that reduce privacy risk with limited impact on data utility," said Henein.
Each stage is an indication of how mature a company's privacy program is. The early data discovery phase was likely started "manually through a series of surveys and spreadsheets," said Henein. But understanding the flow of data leads to metadata enrichment, "where structured labels are associated with data objects."
Metadata enrichment extends beyond the privacy program, enabling governance agility, or "the capacity to react to an exceeding cadence of new regulations without disruption," said Henein.
Not only does this highlight where unstructured data could cause problems, it sets companies up for the slew of regulatory demands across the country and world.
There are standards, such as National Institute of Standards and Technology's (NIST) Privacy Framework and the International Organization for Standardization (ISO) 27701, that don't fit any specific regulatory mold. More regional frameworks, like British Standards Institute 10012, are centered around GDPR.
But choosing a framework "will be heavily influenced by your past decisions," said Henein.
The common thread across all the frameworks is a management system. "You can certify an organization handling policies, but not a product or a service." The International Society for Developmental Psychobiology (ISDP) 10003 and European Privacy Seal frameworks, however, do allow for services certification.
"We expect over the coming year that some of these schemes will be formally approved for GDPR assessments. But as of now, certification, though exceedingly helpful, does not equate to regulatory compliance in Europe, or elsewhere," said Henein.
States take a stab at privacy
The California Consumer Privacy Act (CCPA) has "been the ignition point for U.S. privacy modernization," said Henein. "The best advice for the coming year is to standardize against California as it occupies the highest standard today."
The proposed California Privacy Rights Act (CPRA) addendum, often called CCPA 2.0, is awaiting the California ballots this election cycle, and could bolster the CCPA's already-stringent rules. But this year 20 states have introduced draft bills, up from 12 states last year, according to Henein, and some of the laws proposed by other states "exceed the CCPA and scope."
Only Texas, Nevada and California have passed privacy legislation,, though states with draft and passed bills would collectively reach 57% of the U.S. population.
Congress has introduced at least 10 federal bills but privacy professionals are not optimistic a national law will pass anytime soon. "We seem to be heading towards 50 different laws, one for each state," said Henein.
Across the pond
While privacy laws are taking shape nationwide, Europe got the ball rolling. The U.S. has played catchup in the last 20 years, while Europe delved into privacy regulation in the 1970s, according to Henein. The EU's experience sets a standard for worldwide standards.
When EU-U.S. Privacy Shield was overturned in July, U.S.-based companies' data transfers were impacted, so technology purchasing decisions changed too.
"Not to say I told you so, but our guidance for over a year ago was to avoid reliance on Privacy Shield, as it was in practice no different than its predecessor, which was also deemed invalid," said Henein.
When GDPR went into effect, it struggled to find its teeth, but the threat of oversight evoked enough change in industries serving EU consumers. Companies were forced to change their behaviors, and the pressure to do so was equal parts GDPR and consumer desire.
Headquartered in Brussels, the European Data Protection Board overseeing GDPR is moving from "reactive, complaint driven posture to a more investigatory proactive approach," said Henein. The board is coordinating more consistently with its 28 member states.
In some cases the pandemic halted developments in data privacy legislation. "These delays are welcome as they give organizations much needed breathing space," said Henein. However, the laws currently on the horizon are widespread:
- Following GDPR's lead, Uruguay and Argentina are modifying their privacy laws, which predate the EU's policy.
- Enforcement for Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) was set for August 2021, a delay from the original August 2020 effective date. "This enforcement delay, even though it comes under less than ideal circumstances, is a gift. Do not waste it," Henein said.
- China enacted its revamped Civil Code, going into effect in January. The Civil Code includes a section on privacy rights and personal information protection provisions, amending 2017's PRC Cybersecurity Law.
- Australia's Consumer Data Right law began rolling out this year, though it's more geared at the banking industry.