Manage Your Privacy Journey: GDPR, CCPA and Beyond

Published On November 27, 2018

I love adventures! Whether in a city or out in nature, it is exciting to go out and do things. Simple adventures do not require a lot of planning, but you still need to be prepared for the day. More complex adventures require a lot of planning, coordination and execution. In organizations, complex adventures also require stepping back and reevaluating where you are and where you’re going.

Over the past few years, we have been on a General Data Protection Regulation (GDPR) adventure. Some might think the privacy adventure is over as we are now six months past the compliance deadline of May 28, 2018. However, the privacy journey is ongoing, and organizations need to continue forward with ongoing proactive GDPR compliance, particularly as organizations are dynamic and constantly changing.

Think about it, has your organization remained the same over the past six months? Certainly not.

In the past six months since GDPR went live, your processes, business, employees, third parties and customers have all likely changed. Compliance, particularly to something like GDPR, has to be continuously managed and monitored. The organization needs to have complete privacy situational awareness in a dynamic business environment to manage risk across the full lifecycle of personal data in your organization and its web of processes, transactions, relationships and interactions.

But it is not just GDPR, there are other regulations mandating the protection of personal data the organization has to respond to. The most notable of these is the California Consumer Privacy Act (CCPA) with its deadline of January 2020.

On any journey you need time to gather your bearings and know where you are. It is time for organizations to step back and reevaluate where they are on their privacy compliance journey and map their course for what they need to adjust and what needs to be accomplished over the next year. This begins with conducting a current state assessment to assess where you are, so you know what needs to be done or adjusted.

Some key elements to assess the current state of your organization in privacy management are:

• Review of your organization’s privacy compliance activities and risks to personal data
• Understand how you are performing against your peers in a privacy benchmark
• Document and adjust how you are managing data subject requests to their information
• Identify how personal data is stored, used, moved and dispositioned in your organization and how this has changed as the organization has changed
• Determine gaps in your program and how these are to be addressed

It is critical that this current state assessment not only addresses GDPR, but also the range of other relevant jurisdictional and industry-specific privacy requirements, such as CCPA.

When doing the current state assessment and planning the next phase of the privacy compliance journey there are two critical privacy compliance functions that organizations need to pay attention to in a dynamic business environment. These are:

• Data subject rights request management. Organizations need to stay current on how they are collecting and managing requests made by individuals to exercise their data subject rights to assess, delete and rectify concerns over their personal data.
• Personal data classification. Business processes are dynamic and can quickly go astray of compliance requirements. As the business changes, it is critical to identify where personal data is located, used, transferred and its disposition in the organization.

The bottom line is that GDPR, CCPA, and other privacy mandates, require the organization to continually manage them in today’s distributed and dynamic organization. It is not a point in time effort, but one that has to be in sync with the business as it evolves, adapts, changes and morphs. It is good for organizations to step back on a periodic basis (e.g., annually) and determine where they are at and make adjustments to where they are going on their privacy journey.