Uncover Hidden Privacy Risks

Stay ahead of the curve with Vendor Risk Management

A proactive approach to privacy can reduce risks and add value to your business

What does it mean to be proactive?

Merriam-Webster’s Dictionary defines proactive as: “Acting in anticipation of future problems, needs, or changes.”  In the realm of privacy, there is a real spectrum of proactivity: At one end, would be novel approaches to privacy, not just compliance but trailblazing. Another level of proactivity would be implementing changes prior to the compliance date.  At the other end of “proactivity” is implementing changes prior to receiving a regulatory compliance letter.

Why should my organization be proactive about privacy?

Proactive privacy approaches are an opportunity to generate value (carrot) or limit risks (avoid the stick).

The General Data Protection Regulation, (GDPR) [European Union] for instance protects privacy with the threat of a very big stick.  A company that infringes GDPR can be fined up to 20,000,000 Euros or 4% of the company’s total worldwide annual turnover for the previous year, whichever is higher.  20,000,000 Euros is already a hefty fine, but the 4% fine can be orders of magnitude greater for some large companies.

With that looming threat, data controllers and processors have to ask themselves, “is my organization compliant?” The answer to that question isn’t always clear.  GDPR and the California Consumer Privacy Act (CCPA) [USA] both require “appropriate” security measures be taken to protect data.  The Lei Geral de Proteção de Dados Pessoais (LGPD) [Brazil] requires security measures that are able to protect personal data.  There will usually be ambiguity about whether these provisions have been successfully complied with.  In such circumstances, it can be prudent to have absolute certainty of your compliance.  If you have very advanced security measures in place, there is much less likelihood of a breach (the absence of which can protect you from liability under the CCPA), but you will also have a much more defensible claim that your security measures are “appropriate” or are able to protect personal data.

Okay, I get it.  It’s important to be compliant with privacy laws.  I’ll cross my t’s, dot my i’s, and make sure to be compliant.  Isn’t it enough to be compliant?  Why should I be proactive?

It isn’t necessarily enough to just be compliant.  You can be adjudged to be compliant, but still suffer a data breach.  If you suffer a data breach, there will be unhappy individuals whose data has been stolen.  Their eyes will gloss over when you explain the details of your compliance with the law, but the visceral anger at your failure to protect their data will remain.  It can be devastating to a brand’s reputation.

Your reputation can also be significantly influenced by your privacy policy.  Just like your reputation can be harmed for a privacy-related scandal, consumer-friendly privacy policies can enhance your reputation.  Apple Inc. is an example of a company that uses its proactive privacy approach to attract and retain consumers.  They are notorious for treating user data differently from other big tech companies.  Accordingly, they have a very loyal customer base.

Ultimately, each organization gets to decide for itself whether it’s privacy policy will be a liability or an asset.

So how can my organization take a step in the right direction?

An excellent way to progress towards proactivity is to complete a privacy impact assessment.  This will help you realize your organization’s weaknesses and allow you to think about proactive changes to your privacy policy.  It’s also an important step to compliance in CCPA, Virginia Consumer Data Protection Act (VCDPA), GDPR, and LGPD.  Clarip has templates and guidance for completing privacy impact assessments for whichever law you need to comply with.  Additionally, our automated data mapping can present you with the lay of the land to allow you to better understand your organization’s data privacy challenges and opportunities.

Why else should my organization be proactive?

Privacy is an evolving landscape.  The passage of GDPR by the European Union forced other countries to think about privacy and globally those thoughts are starting to bear fruit.  Outside of Europe; Australia, Canada, China, Mexico, South Korea, and many others are getting involved in data privacy.  Taking a more privacy-progressive approach can curtail the need for iterative changes whenever a new privacy law is passed.  By being proactive in privacy, you may not need to make any significant changes to adjust to new laws, because your organization is ready to comply with the new laws with the procedures that are already in place.

New laws aren’t the only drivers of change in the field of data privacy.  Sometimes technology or industry standards change in such a way that impacts data privacy expectations.  “Appropriate” safeguards will certainly change as technological changes increase risks and increase the availability of security capabilities.  Currently, encryption is a gold standard approach to data protection.  However, with developments in quantum computing over the next years or decades, it will become run-of-the-mill for attackers to be able to break modern encryption.  If your organization plans ahead, they can avoid the pain of being forced to adapt by changing laws, standards, and/or technology.  Make the changes on your terms, not theirs.

Privacy Conclusion

It’s important to realize that bare minimum compliance may not be the right stopping point for you. Being proactive with privacy adds value and reduces risk.  Each incremental privacy improvement has benefits.   Determining the optimal level of privacy protection will require an intimate look at your operations and some thought about your big picture goals.  Consult with Clarip, so we can help you find the perfect fit for your data privacy goals.  We encourage customization; if you think outside the box, we can help!  Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.