CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
March 7, 2023
According to research by the International Association of Privacy Professionals (IAPP), privacy is growing—but not fast enough. Privacy teams are growing by 12% year-over-year, but many organizations are still struggling to execute on all the demands of data privacy compliance. What’s behind this struggle? Is it simply a matter of too few dollars and too little headcount, or is something more nuanced at play?
The answer lies somewhere in the middle. Data privacy teams need to overcome these 9 challenges if they’re to succeed in the modern business and privacy landscape.
It isn’t easy to convince your colleagues to collaborate with you on data privacy, but even when you’re successful in this endeavor, there can be a hint of resentment. It’s frustrating to want to get on with your daily work only to need to interrupt the flow of your day to accommodate new privacy responsibilities.
While it’s not the only way that privacy can be perceived as a blocker rather than an enabler, vendor assessments and reviews are one of the biggest bottlenecks that privacy creates (or at least is perceived as creating). Fortunately, there are solutions you can rely on to expedite this process, ensuring that your team gets the tools they need and your customers’ data stays safe.
In many businesses, the privacy team consists of one individual, if that. Often, legal, security, IT, or other professionals simply have data privacy responsibilities tacked onto their job description.
Furthermore, the resources made available to privacy professionals to build their privacy program are often inadequate. It makes sense—most stakeholders see data privacy as part of the cost of doing business. And most of the time, businesses want to minimize those costs.
According to IAPP research, businesses are investing about $1.8 million into privacy on average. For businesses earning less than $100m in revenue, that number plummets to about half a million. Is it enough? Often, the answer is no.
Fortunately, you can persuade leadership that the organization’s privacy posture needs more attention. We provide several actionable tips on how you can “sell” your privacy program internally in our blog, Making the business case for your data privacy program.
Data privacy compliance can’t exist in a vacuum. Your customers’ personal information will be spread out across a number of different systems and departments. If your organization aims to collect and process data in a compliant way, you need to ensure your colleagues understand the importance of data privacy and their responsibilities to it. To assess whether the broader organization is sufficiently educated on privacy, ask yourself questions like:
Securing follow-through and spreading awareness is one of the most challenging aspects of a privacy professional’s job. You can’t just give a 10-minute speech at the start of your next all-hands and expect everyone to understand their responsibilities. Building out a training and awareness plan is a project that will take some time. We provide some guidance in our blog, 7 biggest pitfalls for modern privacy programs.
In most organizations, there isn’t a clear point when you’ve completed an iteration of your privacy program. Things are always evolving and adapting. But at some point, you’ll recognize that the current iteration of your privacy program no longer fits the organization—it may have in the past, but that was when your business was a different size, the regulatory landscape was different, and you were different as a professional.
This is a key sign that it’s time to scale your program. If you adopted a formal approach to developing your privacy program initially, you can simply apply this approach again and see how your conclusions differ now that the organizational context has changed. If, as is usually the case, you developed your program in a more organic fashion, you might want to review the steps we describe in our blog, What is a privacy program and how can you build one?
These days, the state of privacy is in constant flux. Keeping up with the latest regulatory updates, best practices, legal guidance, and more takes time, but is essential to developing a data privacy program that works. The real challenge lies in gathering insights from the latest privacy developments and actually operationalizing that data privacy program with those insights at the same time. It’s a difficult balance to strike.
Privacy professionals need to be intentional about where and how they consume privacy news so that they can quickly identify what information is essential to act on. For starters, privacy professionals might be interested in reviewing the 5 emerging data privacy trends Osano identified in our blog. The Osano newsletter, Privacy Insider, also regularly reports on actionable news in the privacy world.
Change is always hard, but when it comes to data privacy, it’s necessary.
Privacy professionals can expect to see resistance against their effort from all corners of the organization. Marketing doesn’t want to sacrifice analytics data from website visitors who opt out of data collection. Developers don’t want to add yet another step to the development lifecycle. Teams across the organization just want to get the tools they need to do their job without delay.
One way to persuade blockers that privacy is important and worth the change is to share all of the news coming out of the privacy world. As a privacy professional, you’re likely far more aware of major headlines than your colleagues in marketing, development, or other departments. Sharing news is a great way to demonstrate the stakes.
One headline that’s made a big splash and has gone a long way toward driving compliance is the Sephora enforcement action. If your business is subject to the CCPA/CPRA or any U.S. privacy laws, it might be worthwhile sharing our post on the Sephora action.
Without strong support from executive leadership, it’s going to be twice as difficult to convince your colleagues to collaborate with you on data privacy, to secure the right budget, to gain additional hires, to get critical tools, and more. With their support, the opposite is true; leadership buy-in can make many of your biggest problems go away in an instant.
It isn’t reasonable to expect the C-suite to just “get it” without some education and planning, however. Securing buy-in for your data privacy program is a significant project that should be undertaken with thoughtfulness. We go into detail on 7 key factors to consider when making the business case for your data privacy program in our blog.
DSARs are a very visible compliance activity, and fulfilling DSARs can be difficult to do well, especially at scale. If your organization is struggling to fulfill DSARs in the 30- or 45-day timeframe required by law, then the data subject may lodge a complaint. In certain jurisdictions, data protection authorities and data privacy advocacy groups make DSARs specifically to audit whether businesses are compliant.
The number one way to get in trouble with your DSAR process is to do it manually. The downfalls of manual processes are well-known: they’re prone to error, they’re slow, and they take away time that could be better spent. When it comes to compliance, the risks associated with speed, errors, and opportunity cost are much higher.
Automated solutions are key to streamlining DSAR compliance and reducing these risks. Different solutions exist to help privacy professionals complete DSARs on time, our guide on choosing the right DSAR platform for your business can help you identify the right fit.
Many data privacy platforms are guilty of the same basic sin—in pursuit of total customization and universal applicability, they become complex, unwieldy, and unintuitive to use.
This is an issue in all software, but it’s especially grave in compliance software. For starters, compliance software should have regulatory insights baked in. Even experts can’t be expected to remember every minute rule in every data privacy regulation; there should be guardrails that prevent you from becoming accidentally noncompliant. Furthermore, compliance software should be easy to set up, so that you don’t spend months out of compliance during the implementation process. Overall, compliance software needs to be designed in a specific fashion that respects the regulations that it purports to support.
It’s not easy to evaluate what it would actually be like to implement a piece of compliance software until you get your hands on it though. To help businesses identify potentially troublesome compliance solutions in advance, we identified 5 red flags to avoid in a CMP implementation.
Some of these challenges can only be solved by you. Things like communicating data privacy, collaborating with your colleagues, changing the culture around data privacy, strategizing and planning—these are part of the essential work of a data privacy professional.
But many of these challenges are a matter of tooling. Streamlining the DSAR process, operationalizing your data privacy program, ensuring you have the time to scale your program, and similar challenges can be solved by identifying the right data privacy platform. Your ideal compliance software will automate the more transactional tasks in your day, freeing you up to focus on the work that only you can do at your organization.
Our advice is to prioritize the search for a data privacy platform that can serve as the heart of your data privacy program. If Osano makes it onto your list, we’d love to show you how we can help.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.