The current regulatory climate of business is shifting toward a heightened awareness of sensitive data protection. Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) have refocused companies’ efforts to ensure the collection, storage, usage, and deletion of customer data are handled with care. Penalties for violating these policies can be up to $7,500 per violation for CCPA and up to 20 million euros for GDPR (or 4% of global turnover).
These regulatory actions signal a shift toward broader public consciousness of data privacy. Following the implementation of the GDPR, six of 10 consumers in Europe were aware of their data privacy rights and protections, up from four in 10 in 2015. Awareness affects consumer choice: half of the consumers said they were more likely to trust companies that judiciously limit the amount of personal information they request.
These shifts have encouraged corporations to take a forward-looking approach to data privacy compliance. Notably, Microsoft has committed to applying CCPA standards to all of its U.S. customer data, not just in California. Companies have to adapt, anticipating more stringent regulatory environments in the future.
Challenges to Data Privacy Compliance
Approaching data compliance comes with its own set of challenges. New standards for data consent management and data privacy have engendered a host of functional requirements for mature data operations. In an earlier blog post we documented the key implications of these data privacy laws for driving consent management of an organization. For example, the CCPA requires companies to maintain a robust privacy policy, ask consumers for consent to collect their data, and categorize consumer data so it can be reported back to regulatory bodies and deleted upon request.
Software solutions have sprung up to meet these tactical consent management and tracking requirements. However, these solutions do not go far enough in addressing the underlying challenge of complying with requirements: companies do not know where all their data resides; most companies lack a consumer data inventory that enables them to work systematically with their data.
This challenge exists because modern organizations tend to take a divide and conquer mentality to their operations. The result is that each team often has its own copies of data to run its part of the business. Companies may end up with dozens of different systems managing their customer records, fragmenting data across IT infrastructures and affiliate and third-party networks.
Understanding the path to full data compliance can be a daunting task. Bridging that gap involves a deep understanding of an organization’s data architecture and a series of steps toward mature data governance.
How to Bridge the Data Privacy Compliance Gap
Bringing your organization to data privacy compliance will not be a one-size-fits-all approach. A focused conversation needs to happen to tailor solutions to your specific needs. Consider questions like: What data do you have? Why do you need it? What do you do with it? What technology touches the data? How should you retrieve the data in a trustworthy manner? The answers will drive your solutions and how they will be integrated into your organization.
Because data privacy laws like the CCPA and GDPR were instituted fairly recently, it is still unclear what legal enforcement of these laws will look like. Just last November, California passed the California Privacy Rights Act (CPRA), expanding the CCPA to strengthen consumer protections, and even newer regulation is expected to be introduced in the next couple of years. Given the constantly evolving nature of the regulatory environment, any approach to compliance will be an ongoing and regularly updated process to ensure persistent compliance.
To get started, consider the following guidelines to work toward the compliance initiative that is the right fit for your business:
1. Understand your current state data architecture: Attain a full understanding of all the critical systems, tools, databases, and data flows involved in your infrastructure. The existing data is touched by many different teams in many different ways. Thus, this stage involves a comprehensive collection of all process documentation you have and interviews with team members on their data interaction. Your ability to retrieve your data reliably will only be as good as your understanding of where your data is. Therefore, a sound understanding of your data architecture is the first step toward any mature data compliance initiative.
2. Select the right tools: Once you understand your data architecture, you will be able to identify where additional tools may be needed to introduce new, compliance-mandated functionality. Compare and select the necessary compliance software solutions to balance your organization’s security, stability, and scalability requirements. Unfortunately, no compliance tool or set of tools will be the silver bullet solution. There still needs to be a broader program to manage compliance going forward.
3. Define the process workflows around managing compliance: Delineate the critical operational changes your organization must undergo to report and manage all sensitive data collection. This stage involves understanding the personas your systems will engage with, mapping out where their data flows and where it will be manipulated. Each of these data interaction points will need to be accounted for in your future state solution.
4. Implement the overarching compliance program: Develop an implementation roadmap considering the necessary people, process, and technology changes involved in managing your compliance workflow. This will involve prioritizing the implementation phases that will quickly unlock strategic value. Design, rearchitect, and test your data architecture around any compliance tools that need to be deployed, ensuring you develop a change management plan to fully integrate new systems into current processes. As you develop new systems around compliance, there is an opportunity to automate data request and response processes to eliminate or minimize the additional manual effort of compliance requests.
5. Identify future state architecture possibilities: Achieving data compliance involves upfront investment in your data architecture and governance that has the potential to pave the way for additional value-driving initiatives. For example, envision a more mature future-state architecture that centralizes data ingestion, processing, and storage to capture a single view of your customer. From here, there is massive potential to realize more meaningful interactions with your customers by optimizing their journeys based on how they have previously interacted with your messaging and products.
Opportunities Unlocked by Data Governance and Compliance
Data privacy compliance has evolved into an involved technical process requiring companies to reexamine their IT architecture to locate their customer data before interacting with it. Though this process entails detangling data pathways into a clear architectural view, it can also be exactly the quick win data governance project an organization needs to start unlocking the full potential of its data assets. Namely, data uncovered through the compliance exercise could be funneled into analytics, giving a company greater visibility into its sales and operations. These insights have the potential to drive fundamental change toward creating a responsive, data-driven organization.
At Credera, we would love to help you tackle your data privacy compliance and governance needs and start dreaming big on the potential your data assets could unlock for you. Please reach out to us at findoutmore@credera.com to continue the conversation.
Contact Us
Ready to achieve your vision? We're here to help.
We'd love to start a conversation. Fill out the form and we'll connect you with the right person.
Searching for a new career?
View job openings