GDPR is in place; CCPA is coming. Are you ready?

Print Friendly, PDF & Email

The one-year anniversary of the implementation of the General Data Protection Regulation (GDPR) has recently passed. Regardless of where you live, during the past year, you’ve probably received your fair share of emails from companies telling you how they’re going to comply with the new regulation and, most likely, asking for your permission to continue using the information they’ve collected about you over the years.

If you’re a vendor who’s been collecting information about your customers over the years, the immediate challenge may be more than a mere nuisance. The last thing you need is regulators demanding to know if and how you’re in compliance with the rules; they’re already doing precisely that in Europe.

It doesn’t matter where you’re based; companies around the world have to comply with GDPR’s rules because virtually every firm of any size has customers or employees in EU countries. Even American and Asian firms are trying to ensure they’re complying with the European requirements, in addition to established privacy rules such as HIPAA and Sarbanes Oxley. This is true, regardless of vertical or industry. Companies in the financial services, utilities, retail, transportation, insurance, health care and manufacturing industries are all affected.

Many U.S. based firms have decided to comply with GDPR, even for their American customers; it’s easier to implement one set of privacy rules worldwide, rather than set up geographically based rules. It frees them from any worry about customers who may slip through the cracks, leaving them open to potential violations.

Of course, American firms also have the coming implementation of California’s Consumer Privacy Act (CCPA) staring them in the face.  Many other states have similar rules either on the books or being discussed in their legislatures, with more than 50 countries around the world enacting their own data privacy laws.

Firms should view GDPR and CCPA as an opportunity that can pay dividends by involving leaders throughout their organization, from the chief data officer (CDO) to the data governance team. For instance:

  • They regard GDPR as a strategic enabler, instead of merely foisting it off on their IT staff as another problem to solve.
  • As part of their GDPR compliance, they focus on the customers that mean the most to their business. They engage with them, ask for permission to keep their data and keep the conversation going with them.
  • Once that’s done, these firms have actively moved to be more understanding of their customers. Maintaining an open and positive relationship gives them fewer reasons to click the “delete” button.

There is, of course, a significant technology component.  The data that firms collect resides worldwide, in multiple locations. CDOs must ensure the data they’re charged with safeguarding has been accounted for in all its forms, regardless of where it is stored. The data under your organization’s stewardship will continue to grow, along with your business. If you expand into new locations, you’ll be responsible for expanding your monitoring efforts for the data these sites generate.

This gives rise to another potential challenge: ensuring that you have a firm handle on where multiple copies of the same data are located throughout your firm. You may delete a customer’s personal information from your servers in San Francisco, but if a copy exists on another server in New York, you’re violating CCPA rules and may be open to penalty. Discovering where all of your data resides is key to your future compliance and success.

So, how can companies ensure they are doing their best to meet these regulations?

  • Regardless of where you’re located, appoint a chief data officer with the authority to do a deep dive into your company’s data. The CDO should be able to determine where the data exists, in what forms and what policies and procedures are being implemented to comply with all of the regulations.
  • Continually monitor the regulations. Britain has implemented an upgraded Data Protection Act — its version of GDPR. In several respects, it’s even more all-encompassing than GDPR. And that’s the point: Expect that the authorities will strengthen the rules over time as they deem necessary. Compliance today does not automatically mean compliance tomorrow.
  • Implement new technologies to help you get a handle on your data. You want to be able to track down where the data resides and help ensure the rules that govern its use are accurate and are being consistently deployed.

The CCPA clock is ticking, and we’re already well past midnight on GDPR.  Compliance with these laws isn’t going to get any easier, which means you need to be moving toward compliance, if you’re not already there.  But if you look at it as an opportunity the journey will be well worth it.

About the Author

Rohit Mahajan is CTO/CPO at Io-Tahoe. Rohit is an ex Wall Street executive turned entrepreneur. He is passionate about developing disruptive technology for data discovery using machine learning. He is an experienced technologist with a proven track record of implementing global solutions at financial institutions for devops, testing, security and data center transformation. In his 20 year technology career, Mahajan has held a number of senior roles at Dun and Bradstreet, Morgan Stanley, and Deutsche Bank. Most recently, Mahajan built disruptive Smart Data Discovery and Catalog technology, which was acquired by Centrica’s Io-Tahoe.

Speak Your Mind