If you’re in compliance at a high-growth company, data privacy can take a back seat to other considerations including funding, onboarding employees, and finding new customers.
But a group of experts in a session at Compliance Week’s virtual Cyber Risk & Data Privacy Summit on Tuesday argued complying with data privacy regulations from Day 1 can provide companies with certain advantages.
Done well, a good data privacy program can be a difference-maker that sets your company apart from its competition. Done poorly, it can stop deals in their tracks.
“Your business may ask, ‘Why do we need it?’” said Prayag Narula, chief executive and co-founder of Marvin, a computer software company that helps clients develop data collection and retention strategies. “Well, they soon find out that we need it to get contracts and close deals. It has become a key question for clients.”
More potential clients are asking firms to state their data privacy procedures upfront, either in an initial sales call or a bit further down the dealmaking line. “Somewhere along the line, whether it is IT or procurement, someone is going to evaluate your data privacy program,” Narula said.
Knowing exactly how data privacy regulations apply to your company’s product or service—particularly the European Union’s General Data Protection Regulation (GDPR)—is increasingly important, said Matt Cooper, principal, cybersecurity and data privacy at software firm Vanta.
Cooper said companies that are compliant with the GDPR are easily able to adjust their programs to be compliant with other countries’ data privacy laws, like the California Consumer Privacy Act (CCPA).
“Going from GDPR to CCPA is not a big jump. Almost every box is checked,” he said.
“Somewhere along the line, whether it is IT or procurement, someone is going to evaluate your data privacy program.”
Prayag Narula, Chief Executive and Co-Founder, Marvin
The first step is to conduct a gap assessment that examines what the law in a particular jurisdiction requires and what the company must do to comply. Next is a risk assessment, which identifies what data privacy violations or data breaches could cost the company in terms of business activity, reputation, and fines.
Launching programs and initiatives that are compliant with data privacy laws from Day 1 is smart business, Narula said.
“Someday, when you will need to be compliant, you’ll be better prepared for the gap assessment and the risk assessment,” he said. “A lot of this is common-sense stuff. If you follow best practices, you’d find at the risk assessment you’re most of the way there.”
Having that knowledge can make your firm more competitive. Understanding what is required in terms of data privacy, and how you will be fulfilling that need, is key, Cooper said. It starts with having your own house in order.
“If you don’t know your own problems and weaknesses, you’re not ready,” he said. “You have to answer questions from an informed point of view.”
Understanding data privacy regulations could also help you land clients. While it might be good practice for your company to comply with the GDPR, it might not be in the best interests of the potential client, particularly if they do not have customers in the European Union.
An example is with rules regarding the use of website cookies, which collect data on customers browsing on a particular website. The GDPR says customers must opt in to allowing cookies to collect information about them; U.S. privacy law (CCPA) says customers can opt out.
A company “could be losing valuable marketing data” if it complies with the GDPR but only has U.S.-based customers, Cooper said.
The ideal person within a company to handle data privacy questions is a data privacy officer—someone whose job it is to protect the rights of data subjects and whose role is nonoperational and advisory. This position is not meant to participate in business strategy, Cooper said. The business sets the strategy and the risks it’s willing to take, and the data privacy officer advises the business on how to meet those goals in a compliant way.
A lot of companies, though, do not have the luxury of having someone whose only job is to understand data privacy regulations. It’s often a responsibility ladled onto a senior manager who is already juggling many responsibilities. But that doesn’t make the need to have a defensible data privacy program any less important.
Once your firm has convinced a client its services are desired, then it’s time to provide documentation, Narula said.
“Being able to back up your claims with documentation and proof, that’s a part of defensibility,” he said.