How would you describe the impact of two key pieces of legislation – the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)? To what extent are these privacy laws shaking up how companies collect and process data?
Kathryn Rock: As a result of both the GDPR and the CCPA, companies must be more transparent and assume more responsibility regarding the collection and processing of any consumer personal information. Companies need to understand the consumer data they collect and have in their possession, along with the various ways it is used, including any interactions with third parties. Companies are being held accountable for how they interact with personal information and that has translated into adjustments to their business processes related to data collection and use, particularly as both pieces of legislation allow for financial penalties to be levied on any companies found to be in violation. Particularly, the CCPA’s private right of action explicitly allows consumers to seek damages for any violations of the CCPA, which exposes companies to both civil penalties levied by regulators and damages paid directly to consumers.
How would you characterize the growing intersection between data analytics and data privacy? In your experience, do companies tend to underestimate the data privacy implications of conducting data analytics?
Kathryn Rock: Any new technology should be nimble, considering the numerous data privacy laws being enacted or proposed worldwide. Beside assessing if all collected and stored data is necessary, companies can take many steps to manage privacy considerations and risks while implementing technology and utilizing data analytics. There are a number of issues companies should consider, the first of which is governance. They should create or update data privacy governance structures and committees to develop or implement strategies for compliance with laws, including the potential inclusion of a chief privacy officer. Companies should also consider policies and procedures. This will require them to develop or update policies and procedures to ensure compliance with existing regulations and implement a robust change management process to account for any new or changing regulations. Training must also be a consideration. Companies must establish and update training program to include applicable policies and procedures, including identifying impacted individuals for training. Finally, companies must consider data security. They should review existing data security infrastructure and enhance the organization’s ability to respond to security breaches, in compliance with laws.