The global health crisis has pushed data privacy and compliance to the top of the list. Hilary Wandall, SVP, Privacy Intelligence and General Counsel at TrustArc highlights four major considerations around data privacy for IT leaders and how their approaches might change as a result of COVID-19.
Early in 2020, the COVID-19Opens a new window pandemic, regulations like GDPROpens a new window , CCPAOpens a new window , and pending U.S. federal and state legislation began teaching us that privacy compliance is not a one-off project. Too often, companies approached compliance as a “check-the-box†activity whenever a new regulation arose. This patchwork method didn’t address a fundamental fact: privacy regulations are constantly evolving as the data they regulate proliferates and companies use an increasing variety of systems and platforms. As the new year came into view, organizations were moving to adapt to the changes new regulations promised.
The global pandemic of COVID-19 has caused significant changes throughout society, including short-term considerations for data privacyOpens a new window . We can expect that business leaders have very different considerations about their privacy program now than they did 90 days ago. Even programs that were built to handle proliferating legislation at scale need revisiting.
Learn More: Navigating Security and Compliance Landscape in the Age of COVID-19Opens a new window
Due to the global-health crisis, many companies have adopted or enhanced remote-work policies. While the shift to remote work is a necessary step, the practice also raises a number of questions, including:
- What additional data can organizations process about their employees, particularly as relates to their health?
- How do employers ensure good data protectionOpens a new window and governance practices for employees working from home?
Below are four major considerations around privacy for business leaders and how their approaches might change as a result of COVID-19.
1. Pursue and Develop a Single Privacy Strategy
Before the novel coronavirus swept the globe, companies may have been focused on operationalizing privacy compliance at scale through the use of people, such as third-party privacy consultants; processes; and, technology to help automate compliance processes. IAPP research suggests that a majority (56%) of companies were also working toward a single global data-protection-and-privacy strategy.
We suggest that companies continue to pursue a single unified strategy when it comes to privacy and compliance that allows them to move forward in the new normal. Developing a strategy and implementing a program that brings privacy Opens a new window considerations into every aspect of business operations is essential. The strategy should take care to address future worst-case scenarios, including how the organization will proceed to re-open and what it will do if it must adjust to a fully remote workforceOpens a new window .
Learn More: Best Practices to Fight Phishing & Strengthen Cybersecurity in COVID-19 EraOpens a new window
2. Individual Rights and User Control will Take Center Stage
Of all the components of privacy compliance, individual rights and user control are getting the most attention from legislators. This is happening because the public is waking up to what’s happening with their data, and they aren’t happy. Thoughtful states, including Washington, and some federal-level proposals recognize the pivotal roles of organizational accountability and risk management in addressing the root cause of public concerns.
Before the pandemic, the hope was that organizational leaders would place a greater emphasis on individual rights and user control into their privacy programs. The idea of contact tracing will add to the discussions about individual rights. Many countries that have so far kept the virus relatively in check have implemented rigorous tracking protocols, to better understand where individuals have been and with whom they may have been interacting. While these practices are helpful for global health, they have the potential to cause overreach and trigger misuse.
It is important for privacy professionals and business leaders to remember that, even and particularly in times of crisis the law still applies. However, in many jurisdictions, regulations permit organizations to process additional data to assist public health efforts. Businesses must now weave into their privacy programs an understanding of how they can keep employees and the greater public healthy without overstepping regulatory boundaries.
3. Culture Shifts will Help Determine Privacy Strategy Outcomes
Organizations were ideally pushing for a shift in corporate culture around privacy before the pandemic. This transformation was required because consumer attitudes and expectations have changed. For example, the Millennial Consumer sees their privacy as circumstantial: “I will surrender personal data for value in return;†but they expect immediate control or access to their personal data when circumstances change. Younger consumers expect robust security and data protection throughout the life cycle of their personal data, and transparency and respect. Organizations must develop mindsets that understand and can appropriately address these demands.
COVID-19 shouldn’t change companies’ pushes to operationalize privacy mindsets. The pandemic will, however, force leaders to reconsider how they push for this mindset shift. Some organizations have already had to determine if employees have contracted the virus, and others will likely have to do so in the future. Organizations should show restraint by only processing the minimum personal data necessary to carry out their obligations related to the safety of the workforce, customers, and the public. The mindset shift leaders urge must now take this new environment into consideration.
Learn More: Behavioral Biometrics Can Tackle Bad Online Behavior Amid Remote Work SurgeOpens a new window
4. Sanctions will Force Some Companies’ Hands, Just Not Quite Yet
Many experts have been less than impressed by the enforcement action taken by EU data protection Opens a new window authorities under the GDPR so far while understanding that complex investigations under a new law take time. Before the COVID-19 global pandemic, we expected to see a lot of cases decided, and many with serious sanctions. As a result, we expected to see organizations that had not cemented their privacy compliance practices turn serious attention toward demonstrating compliance.
Now that state governments and the U.S. federal government have a more pressing concern, it is unlikely that we will see regulators hand down privacy legislation-related sanctions in the foreseeable future. This should not stop organizations from pursuing holistic scalable privacy programs. Governments will eventually pursue privacy law-related punitive efforts. Organizations that build a framework for scalable privacy will be more likely to avoid sanctions and also to earn a competitive advantage.
Companies that Adapt Now Can Gain Significant Competitive Edge
Privacy is not solely an issue for individual organizations and the people who are their customers. Privacy compliance is a concern central to the global dialogue around trade, security, and other elements of relationships between nations involving data use and data flows.
With an unprecedented pandemic before us, business leaders are being forced to think quickly and make decisions on the fly, many of which concern privacy. COVID-19 is changing how organizations approach building scalable privacy programs. If leaders remember anything while they tweak and continue to build their programs, it’s this: transparency is crucial. Whatever data is collected and used in the fight against COVID-19, organizations should be upfront and transparent about what data they process and for which reasons.
As data sources and data grow in scale and regulations proliferate and change, privacy compliance will become more complicated. Organizations that operationalize a data-centric, scalable privacy program stand to not only avoid the risks of non-compliance, but they may also afford themselves the ability to turn compliance into a competitive edge, even during a disaster.
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!