While GDPR and CCPA do require a shift in focus, they should not be entirely new. Many of the same security controls that organizations measure to demonstrate compliance with regulations such as the Payment Card Industry Data Security Standard and HIPAA, or even security due diligence, will serve those organizations well as they seek to establish compliant programs.
Let’s take a look at some simple things that you can do to either shore up your existing privacy program or establish a new one.
1. Seek Professional Help
Privacy compliance does have technical implications, but it will also require input from business units, risk managers and legal. You’ll need assistance from the business leaders who head up areas responsible for the collection and use of personally identifiable information (PII), and you’ll need to define thresholds of risk acceptance.
You’ll also need advice from attorneys versed in privacy matters who can help you parse the letter and the spirit of GDPR and CCPA and help you interpret them in the context of your own organization and its unique business practices — “due diligence” can be a very subjective term.
2. Determine How These Regulations Affect Your Organization
Organizations must understand whether they really need to comply with GDPR and CCPA. If you handle any PII, it’s likely that these laws do touch you. While there are still open questions about the ability of EU regulators to reach into U.S. corporations, there’s no doubt that the California attorney general has authority to regulate transactions involving California residents. If you collect PII from anyone located in California, you must comply with CCPA.
This does, of course, lead to a secondary question:
How much business value do you derive from that PII? Does the business value justify the cost of compliance?
If not, your shortcut to privacy compliance might be in eliminating the collection and retention of such information. In recent years there has been a tendency to hoard consumer data with the understanding it is “valuable” but with little thought to the implications of holding that data. This may well be a case of if it doesn’t spark joy for your business, discard it.
3. Follow in Established Footsteps
Finally, frameworks exist for both security and privacy controls. Chances are that you have already adopted a security framework, such as ISO 27001 or the National Institute of Standards and Technology’s Cybersecurity Framework. These documents are a great starting point for establishing a robust security program, and a strong security program provides a solid foundation for a privacy program. Data privacy is a component of security, but having established a security program alone does not necessarily mean that you have your ducks in a row.
Fortunately, there’s a framework for that as well. NIST released the first version of its Privacy Framework, providing organizations with a roadmap for assessing their privacy controls. Does the NIST Privacy Framework address a specific regulation? No, but it provides a good agnostic vehicle to assess how your organization implements privacy controls, which you can map back to a specific regulation, be that GDPR or CCPA.
If you’re looking at that new NIST document and wondering how you can get started, consider performing an assessment. Take a look at the elements of the framework and objectively rate your organization’s performance against those elements. Develop a listing of gaps that currently exist and then get started on a remediation plan. If you need help getting started, CDW’s cybersecurity team stands ready to assist you with an independent assessment of the state of your privacy controls.