By: Linda Coniglio, Director of Privacy and Information Governance
California and Virginia have passed comprehensive privacy regulations. The California law has been amended. More than 10 other states have introduced privacy legislation. Plus a federal privacy bill has been introduced. Such a patchwork of regulations makes implementing a compliance program a challenge. Read about best practices learned from companies who have started their compliance programs and found success.
To state the obvious, such a patchwork of regulations makes implementing a compliance program a challenge. You might even find it confusing or intimidating. Maybe you’re thinking about doing nothing until there is a single set of rules for companies to follow. Not a good idea. More privacy laws will be passed. These days, no state or country wants to be seen as the governing body that isn’t concerned about the data privacy rights of its citizens.
The following are some best practices learned from companies that have started their privacy compliance programs and found success:
- Determine Whose Privacy Rights Your Organization will Honors – Each law specifies the businesses to which the law applies. For example, the CCPA covers companies doing business with CA consumers. As more states introduce laws, the trend, as depicted by Microsoft, is to provide privacy rights to all customers no matter their location. Such a privacy practice builds trust and demonstrates social awareness.
- Create a Data Map – A data map or data inventory is the basic starting point to a successful compliance program. Data maps give insight into the data your organization collects, where it is stored, how it’s being used, specific safeguards being applied to it, and retention periods associated with it. In addition, it helps you determine what laws apply as you meet various consumer thresholds. Some laws, such as the GDPR, require a data map.
- Establish Procedures to Fulfill Consumer Rights – Existing laws have many similarities among consumer rights (See Privacy Tidbit). Pick a global or state regulation and establish standard practices to comply with its requirements. As other laws are enacted, it won’t be difficult to add or modify processes. Use automation to fulfill data subject requests as much as possible.
- Upper-management and Legal Activities –
- Review vendor agreements for updated privacy language
- Limit what your organization does with personal data
- Set reasonable security practices
- Review privacy notices and statements to accurately describe how your organization collects and uses data
CPRA and VCDPA take effect January 1, 2023. Several other potential privacy regulations specify this effective date as well. Start implementing your compliance program now to allow yourself ample time to comply.