Preparing your organization for the consumer data protection age

The European Union’s General Data Protection Regulation is just the tip of the iceberg when it comes to protecting consumer data.  It’s by far the most comprehensive regulatory guideline to date, and its reverberations are already being felt stateside.

As consumers, we’re becoming habituated to privacy policy notifications on websites.  But the real impact is coming as states begin introducing and enforcing their own consumer privacy legislation – efforts that are well on their way in California and Nevada, with pending legislation in 6 other states.

Using the California Consumer Privacy Act (CCPA) as our bellwether, this post aims to provide your organization with four steps you can begin today that will lay the groundwork for implementation.

What is CCPA?

In response to events such as the personal data misuse by Cambridge Analytica, the California Legislature set out to give consumers greater control over their personal information. The act gives Californians the right to:

• Know what information is collected about them and be provided access to the data collected.
• Know if their information is being sold and to whom.
• Deny the sale of personal information – and be provided equal service and price, regardless of data status.

These rules might feel crippling, especially for small businesses and startups.  And for that reason, the legislation only applies to organizations who meet very specific criteria:

• Gross revenue of $50 million
• Sell information of 100,000 or more customers
• Derive 50% or more of its revenue from the sale of consumer data.

What are the implications?

While CCPA doesn’t go into effect until January 1, California-based organizations, and those with a heavy customer-base in the state, are scrambling to stay on top of revisions and build out the organizational infrastructure to be in compliance, or at the very least show a good-faith effort.

The knee-jerk reaction is to approach this solely as an operational challenge. While that may be a short-term solution to meet impending deadlines, those in and outside the California (and Nevada) borders should approach this as both an operational and strategic exercise.  As organizations begin instituting mechanisms to better organize and protect customer data, senior leaders need to get into the practice of asking themselves, how do these actions impact our broader business strategy? And, as sensitivity around the topic of customer privacy grows, will this necessitate a broader pivot?

4 Steps your organization can take now.

While you ponder the strategic implications, there are several activities organizations that collect sensitive consumer data should be taking now to prepare themselves for this new era of consumer data protection.

• Map out your processes. Go through your level 1 and level 2 processes and develop an understanding of how data is being used, managed, and protected.  On your level 1 or macro-level processes, you should be asking yourself, what data is this process using? Where is it coming from, and how is it updated? This stage is intended to help you prioritize.As you dig deeper into level 2 processes, the scope of the process narrows.  You should be asking yourselves a lot of the same questions, but because we’re speaking about a more defined process, it will require greater specificity.  The most significant outcome here is an understanding of where you’re using data.
• Understand your revenue sources. It bears repeating – these laws could have a significant impact on businesses whose revenue is heavily reliant on the use and/or the sale of consumer data. To what extent does this exist in your organization? Where it exists, I challenge you to reassess the viability of that income.  Ask yourself, is this still going to be a piece of the business, or does it need to be eliminated?  With every level of income, you have to reckon with the fact that it may be something that’s no longer permissible.
• Develop a clear picture of how you manage customer data. Building upon your learnings from the mapping exercise, your goal should be to develop a holistic view of where data is coming from and how it’s managed.  Is it centralized or distributed? How is it protected? What data is used specifically for revenue (versus an operational purpose)?  Out of that picture, you’ll want to determine if you have a robust data management structure, clear data definitions, and defined data integrity practices.  If you answer yes to those three elements, then you’re good to go.  If not – you’re seeing critical data being used in a diffused way or your data isn’t properly secure – then that’s where you should focus your efforts.
• Identify a captain. It’s my firm belief that your organization’s Chief Risk Officer is best positioned to lead the charge on consumer data compliance.  They not only understand the regulatory landscape, but they also understand the intrinsic link between your organization’s strategy and operations.  Lastly, they’re working to minimize reputational risk, a longer-term consideration as we go down the path of enforcement.

Most states and the federal government are still several years away from approving laws that prioritize consumer protection over the bottom line – but consumer attitudes are already there.  Starting with your strategy – and beginning to build a culture around the sensitivity of customer data – will help streamline the operational shifts, making the transition to compliance far less difficult.

For those of you beginning this process or looking to begin it, I encourage you to reach out, ask questions and share insights.