There is no denying a global shift toward regulating privacy with new legislation such as General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”) and the Brazilian General Data Protection Law (“LGPD”). With this, an increasing number of trends are emerging with respect to privacy legislation comparative to the landscape five years ago.
There is a wide divergence in how different countries, even regions, legislate for privacy. This is not surprising as the call for privacy legislation is driven by historical events and this of course means the needs are often different. Some countries and regions are taking more of a consumer protection stance, such as CCPA, whereas others regulate specific sectors (Health Insurance Portability and Accountability Act and Personal Information Protection and Electronic Documents Act for example in Canada). There is the drive to regulate technological development and lastly, principle-based laws using GDPR as a blue print.
What is interesting is the development that the private sector is encouraging governments to implement data protection legislation, as opposed to the other way round – generally we see regulation playing catch-up with consumer / business privacy expectations.
Globally the focus is on data protection, another element is privacy. Privacy is a very broad area and what is understood as privacy seems to be a cultural matter. In Europe privacy deals with the right to a private life, meaning a life without interference by the state and others. It is guesswork but the future will lie in addressing the right to privacy and not only data protection.
Privacy v Financial Laws
Many global organisations with exposure to different financial regulators and an increase in regulatory guidance find themselves in a balancing act. The same applies to data protection laws – the goal posts keep moving through the emergence of new guidance, industry best practice and case law as well as through organisations’ maturity.
It is pivotal for firms to work alongside a strong Compliance team and draw on their expertise to fully understand what a particular piece of regulation requires and how they can apply the principles of data protection. Commonly found useful here is the principle of data minimisation. Oftentimes, a lot can be done to minimise the data requested for the purpose of a particular regulatory obligation. At times it might be easier to take a more sweeping approach but data minimisation stops organisations from doing so. Asking for the data they absolutely need and not the data they ‘may’ need is crucial. It may mean having to request more information later but it lets firms adhere to data protection laws as well as financial laws such as Anti-Money Laundering.
In addition, a good source of information is the records of processing activities. Conducting periodic reviews on these allows companies to continuously ascertain if something in a piece of regulation has changed and if they are doing things in line with all principles of data protection.
Privacy by Design
Privacy by design through the vendor management process is an area which will get increasing attention as many companies will try and mature in the near future. The increased attention is not just due to data protection laws but also due to increased focus by financial regulators on supply chain management.
Most companies started off by implementing the bare necessities such as appropriate contractual requirements and maybe a risk assessment at an onboarding stage. You have to start somewhere. As companies make a move from compliance to accountability, their expectation on any third parties will increase to understanding how they can get more assurance through the life of the vendor agreement.
Clients are increasingly interested in service providers who have strong data protection programs in place and ensure this through contractual obligations, due diligence and on-going assurance programmes.
Generally, all new service providers have to go through a risk assessment process but they should also go through a pre-data protection impact assessments (“DPIA”) screening process. Strong collaboration with other support functions such as vendor management, operational risk, information security, compliance and legal, will allow them to take a wholesome and holistic approach.
Of course, this can be quite a time-consuming process but let’s not forget that businesses need to take a risk-based approach and some new third parties may require lengthy discussions whilst others are straight forward. Nonetheless, taking this approach lets the client demonstrate that they have given each and every new vendor sufficient consideration.
No job is completed without regular monitoring and risk management to provide on-going assurance. If this is done by the company, the provider or a third party, there should be some level of independent assurance through audit. This concept is not new at all and can be seen in particular in the information security space and through System and Organisation Controls (“SOC”) 1 or SOC 2 reports.
Measure and Report
To date, firms have been reporting consistently on their privacy programs across key areas such as subject rights exercised, breaches, DPIAs and associated risks.
Now, they are focusing on implementing a privacy management framework allowing them to systematically assess their maturity and provide them with a roadmap to further mature their privacy posture – this is with a focus on continual assessment and improvement. This will demonstrate their drive to strong and ever evolving privacy throughout their organisation.
When implementing such a framework it may be beneficial to look to other functions within the organisation which may have already developed something similar, such as information security, where there are a number of parallels and shared objectives. This streamlining may assist in obtaining buy in from the top and make it easier to secure funding and implement top down.
2020 will be a busy year for data protection professionals. Whilst many companies will be coming to grips with CCPA, others will be working hard on keeping up with GDPR and improving their companies’ maturity as we see fines issued and standards clarified through the emergence of case law and guidance.
It is clear that data protection is here to stay. It is therefore pivotal that companies continue to invest into privacy programs and strategies so that they can continuously improve their compliance and accountability.
Annette Thoma is Data Protection Officer at MUFG Investor Services