How consumers think about online privacy and sharing their data has matured and evolved over the last decade. It first gained momentum with the adoption of the General Data Protection Regulation by the European Parliament in 2018. Shortly thereafter, California passed the California Consumer Privacy Act, making it the first of 13 U.S. states that have passed comprehensive data privacy laws presently. The U.S. government has not passed a comprehensive nationwide privacy law.
Last year the European Union enacted a new set of regulations known as the Digital Services Act (DSA), designed to harmonize content regulations across the EU and create specific processes for online content moderation. The sweeping regulation is considered the biggest-ever rule expansion in the West, and the biggest rollout for the European Union since the General Data Protection Regulation went into effect in 2018. The Digital Services Act was built to create safer digital space and it includes new rules on content moderation, user privacy, and transparency. The major tech firms—Apple, Amazon, Google, and Meta—have announced changes to be in compliance. In all, the EU singled out 19 tech firms, including LinkedIn parent Microsoft, for greater content scrutiny.
Data gathering has become more sophisticated and expansive over the last few years, but it has been largely misunderstood by consumers. The growing awareness of data collection has resulted in personal behavioral changes and legislation as a result of repeated data breaches, scandals and privacy negligence.
The task of crafting a privacy and data protection program that meets the demands of laws and regulations is challenging; it isn’t impossible. We aren’t ones to back away from a challenge and neither should you… so let’s dive in!
Navigating Your Evolving Privacy Roadmap
- Know Where You Stand
- What laws/regulations must your business adhere to?
- What is the present state of your privacy program and compliance?
- What are the primary components of your privacy program?
- What are the most significant areas of weakness and risk?
- Data Audit, Mapping and Inventory
For this, data mapping is a perfect technique as it can help you to quickly understand the flow of data. For data mapping, consider using visual representation tools, such as Datorama, which is the best way to represent large amounts of data from different data sources. Your data map should include the following information:
- How and from where is data collected?
- What type of data is collected?
- Where is the data stored and its formats?
- Where does the data go?
- How is the data being used?
- Where is the data going outside of your organization?
- How long is the data stored?
Keeping your data inventory updated can be challenging due to the fact that most organizational functions collect or process data. Some privacy teams collaborate across business functions using spreadsheets while mapping out their data. Some opt for automating the discovery of data and compliance reporting processes.
Quick Tip: Make sure your data map or audit also includes sensitive data and its applicable uses in your ecosystem. Decide if it’s better to take a state-by-state or national approach to sensitive information.
- Data Compliance
Data plays a crucial role in the daily operations of businesses. With more data being collected and processed than ever, protecting sensitive information and following relevant data security rules are essential. Data compliance is important not only for legal reasons but also for building trust and maintaining a good customer reputation.
Familiarize yourself with the relevant rules (as ever-changing as they may be). Conduct a search and identify the specific data protection and privacy regulations that are relevant to your company’s industry, operations, and geographical locations. As previously mentioned, there have been no dedicated privacy laws passed by the U.S. government for the entire country. In many states, there are laws that allow their residents to protect their personal data.
While the General Data Protection Regulation (GDPR) in Europe was groundbreaking, there is now an expansive global patchwork of data privacy regulation that includes various privacy laws enforced by individual states and countries. Following California’s lead, four other states—Colorado, Connecticut, Utah, and Virginia—have already begun enforcing new GDPR-inspired statutes this year. More states are sure to follow.
This year will go down in history as marking the beginning of a profound shift in the philosophy underlying data privacy laws in the United States. An understanding of what these new laws are getting at, and where they are coming from, will create a foundation from which to analyze and understand their requirements, and those from new laws yet to come. Data privacy laws in this country and around the world are undergoing more changes and, frankly, there will be no turning back.
- Data Engagement Strategy
With the demise of third-party cookies, the need to collect data directly from your customers becomes wildly important. The significance of first-party data is that it can provide a more precise and comprehensive account of customer behavior and preferences.
Let’s examine some key components of developing a comprehensive strategy.
- Ask about how often customers want to be reminded of privacy settings, consent to personalize websites, and reassurances
- Send privacy digest via email
- Ask customers to select their interests
- Pledge to create customer data in a fair and honest way
- Create an internal policy governing how the agency verifies or authenticates individual rights requests
- Rename the “Do Not Sell My Personal Information” links to “Do Not Sell or Share My Personal Information”
After verification or authentication, any requests to update, delete, or access personally identifiable information should be handled quickly as new privacy laws give these rights to consumers. People are concerned about how their personal information is collected and used online. So, securely store their personal information and restrict access to it in accordance with applicable laws and regulations. You should also use reasonable physical, electronic, and administrative safeguards to protect the information that you collect. For example, businesses can use industry-standard encryption technology, such as Secure Socket Layer (SSL), to protect sensitive information.
Work with trusted third-party service providers who perform services on your behalf, such as payment processors, marketing and promotional agencies, and data analytics providers. Businesses require these third-party service providers to implement reasonable security measures to protect personally identifiable information and comply with applicable laws and regulations.
Regularly review your information security measures and practices to ensure they are up to date and effective. Also, commit to protecting the privacy of customers and visitors by not selling, renting, or sharing personal information with third-party companies for marketing purposes, unless you have obtained prior consent.
- Data Analytics Metrics
Google Analytics 4 (GA4) and other data analytics tools are working to comply with new data privacy laws. To comply with EU-focused data and privacy policies, GA4 has stopped logging or storing the IP addresses of EU users. Additionally, in GA4, you now have a few more privacy control features such as disabling the collection of Google Signal data, granular location, and device on a per-region basis.
In the future, privacy changes can lead to changes in metrics in certain publisher-direct channels. Measurements will incorporate universal phone and client IDs, as well as enhanced conversion tracking with robust event tag implementation and data-driven attribution using user data that can be anonymized with numbers.
- Focus Areas and Objectives
Define clear examples of your focus areas: These areas can include data security, access control, data backup and recovery, and more. Each focus area should have specific objectives, actions, and measurable targets (KPIs) that are related to the security of the data.
Think about the objectives that could fall under that focus area: Examples of some objectives for the focus area of Data Protection could be: Enforce Data Security Policies, and Ensure Data Security Awareness.
- Set measurable targets (KPIs) to tackle the objective: KPIs should be specific and measurable, and should include an initial value and a target value. An example of a KPI for the focus area of Data Protection could be: Enforce data security policies compliance.
- Implement related projects to achieve the KPIs: Projects, or actions, are the steps that need to be taken in order to achieve the objectives and KPIs. These should be clearly defined and measurable. An example of a project related to Data Protection could be: Establish data security policies.
- Identifying the various focus areas of the strategy is crucial in a data protection plan. Data security, access control, data backup and recovery, and other areas can be included in these areas. It is important to have specific objectives, actions, and measurable targets (KPIs) for each focus area that relate to data security.
The data protection industry is ever-changing. The amount of information and news can be overwhelming. You have to separate what’s most important from the noise. It’s impossible to focus on everything. To avoid being buried by the small things, the bottom line is, what is your company’s risk tolerance? Don’t try to overdo it, be flexible and ready for new regulations and unexpected developments. Work within the parameters of the company’s risk tolerance and remember, we are only a phone call or email away!
Visit www.vladimirjones.com for more information. We’d love to hear from you!