In the world of IT, gremlins often pop out of the shadows to stoke fear and consume an organization with efforts to avoid or mitigate their consequences.
In this instance, we’re talking about new privacy laws. In Europe, it’s the General Data Protection Regulation (GDPR), and currently in the US, it’s the California Consumer Privacy Act (CCPA) with more legislation almost certain to come from other jurisdictions. GDPR took effect in 2018 and CCPA becomes law in January 2020.
These regulations have the same overall intent. First it to ensure that collectors of data — “data controllers” — implement best practices for data storage, access and distribution. Secondly, this provides data subjects with greater control over the use of their personal information, such as name, address, Social Security number and email address.
Finally, it holds data processors accountable for non-compliance by imposing fines and penalties. The laws provide specific rules for gathering information, disclosing what data is stored and allowing people to opt out of the sale of their data.
After many notable breaches of privacy in well-known companies, many consumers welcome the protection that these laws provide, leaving companies with the challenge of complying with these new regulations. If you deal with citizens from the European Union or California, it’s worthwhile to pay attention.
Under CCPA, credit unions are impacted if they meet any of the following criteria:
- They do business with residents of California;
- They operate for the profit or financial benefit of their owners;
- Their gross revenue exceeds $25M;
- They buy, sell or process more than 50,000 records of consumers, households or devices;
- Over 50% of the company revenue is earned through selling personal information to third parties.
Even if a credit union believes it’s exempt, it’s a good idea to adhere to the governing laws. One approach is to view the new laws as an opportunity to optimize your data landscape and frame the capability in a positive light. The automotive business provides a good example of leveraging legislation to your advantage.
Originally, auto manufacturers felt crippled by the need to abide by safety, fuel efficiency and emission laws. Now, they compete on their ability to comply with these laws. Similarly, credit unions can bolster consumer confidence by ensuring that government requirements are met or exceeded. Privacy laws shouldn’t be a roadblock to customer experience, but rather an enabler.
The scope and nature of the privacy laws can be summarized by the catchphrase, “privacy by design.” Safeguarding customer information must become part of the business and technology culture of your organization. Solutions bolted on as afterthoughts will not be compliant strategies.
But the scope of these laws is massive. Not only are there considerable technical ramifications to consider, there are also significant culture shifts to account for and to introduce to your business practices.
Prior to these laws, the general paradigm assigned “ownership” of data to the company that captured it. Yes, there have been strictures on how personally identifiable information could be used, stored, retained, or shared under regulatory standards like HIPAA and Gramm-Leach-Bliley, but never has the notion of data ownership been reinterpreted so fundamentally.
Under both CCPA and GDPR, the data subject is now considered to be the ultimate arbiter of what data a company collects, what it is used for, whether the data accurately represents the person, and whether the company is entitled to maintain that data after its collection.
Data subjects can demand access to their data, demand that data be removed from a company’s system, demand that data be corrected or made available to the data subject to take to a competing company. And you, as a data controller, are obligated by law to abide by these demands, and to do so within strict timelines.
Without a well-orchestrated game plan, across a variety of disciplines in your organization (legal, privacy, technology, marketing, just to name a few), your ability to meet these demands and avoid penalties for non-compliance becomes increasingly tenuous.
In addition to individual requests for information from your customers as data subjects, governing bodies also have the right to audit your systems for compliance. To respond to these audits, you will need to be prepared to have cogent, accurate, complete reporting at the ready. Questions most likely to interest auditors include:
- Do you know what data would be considered sensitive?
- Do you know why you collected the data in the first place?
- How do you detect breaches?
- How quickly do you notify affected parties after a breach has been detected?
Being able to answer these questions quickly and effectively will not happen by accident. You’ll likely need to implement new systems or make significant changes to existing ones. You may need to define your business processes using a standardized vocabulary, shared across your organization, and you will need to associate systems and the data collected by those systems with the standardized list of business processes that you’ve defined.
You will need to document the specific consent of your customers if you use their data for a variety of different activities. Blanket consent for collection of data is no longer likely to satisfy the new rules. Conforming with these rules will take time that may be measured in years, not months, and resources will need training on the proper procedures for responding to these laws.
Work will need to be prioritized, based on system risk, or business priority, and manual processes implemented before more automated approaches are available.
In other words, this is a new way of doing business; this is not a one-time exercise. The biggest mistake you can make is failing to take any action at all.
