Ask a CCO: How has your company prioritized data privacy compliance?

How has your firm prioritized data privacy compliance in the wake of new regulations like the GDPR, CCPA, etc.?

ANDREW BEAGLEY: Data privacy compliance, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), are top priorities for our organization. We have created risk frameworks that enable regulation and other privacy standards to be mapped to controls to assess vulnerability through periodic assessments. We assign weighted risk scores and aggregate results enterprise-wide to create a centralized view of risk. We believe the investment is worthwhile as data privacy risk quantification has multiple use cases, for example analyzing an increased number of business units/lines; conducting privacy risk assessments across third-party suppliers and M&A targets; as well as managing regulatory obligations.

KORTNEY NORDRUM: The global landscape is changing, and data protection laws have become commonplace. As an organization, we’ve had to not only keep up but learn to be proactive in our approach to data privacy. The privacy function is invited to the table and included in all aspects of our business and product lifecycle—from the first idea through a product rollout. We’ve turned our privacy and information security functions from bolt-on to built-in.

LAURIE ROBERTS: With new regulations such as the CCPA and GDPR, controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data. My company works with organizations to design information systems and policies with this privacy in mind, utilizing encryption and endpoint protection services. Privacy compliance procedures also help prevent negative business impacts, such as financial costs or operational and reputational issues, by reducing the risk of a breach.

KC TURAN: Perhaps we’re in the minority, but these newer laws have relatively limited applicability and impact on our operations. There may be pockets of applicability, but it’s comparatively limited, and we already comply with HIPAA; its related regulations; and other privacy laws, regs, and standards. Being such a regulated industry, including industry-specific privacy regulation, the lift in scaling to newer laws like GDPR and CCPA is a bit less onerous and elastic, particularly regarding the requirements of access, review, correction, deletion, and portability. Privacy and cyber-security have always been prioritized for us, and new laws serve to further cement this commitment. 

STEVE VINCZE: Organizations that I work with and support have understood and prioritized the need to understand how the GDPR, CCPA, and other evolving privacy and data security legislation (e.g., the new California Privacy Rights Act and proposed U.S. federal privacy/data security legislation) may affect their specific business operations and why. It is important to understand the key drivers of the legislation, i.e., the risks it is intended to address and how they may arise. Accordingly, our organization ensures there are regular reviews, updates, and briefings to the executive team on what these legislative developments and requirements are so that the company can be as proactive, thoughtful, and precise in addressing these requirements to their specific business circumstances as possible. Staying ahead of developments is key to manage expectations, plan appropriate funding, and to implement timely processes in compliance with these new laws, but just as importantly, to keep the business operations running smoothly and efficiently.