California's new data-privacy law, the California Consumer Privacy Act (CCPA), is a wake-up call for the U.S. technology industry. The new law, written in just three weeks and rushed through a legislative vote, takes effect on Jan. 1, 2020. Companies now realize that laws similar to the EU's General Data Protection Regulation (GDPR) are going to be enacted here in the United States.
In fact, over a dozen state legislatures now have laws similar to CCPA at various stages of development. Even if a company has no California residents among its customers, it will still need to be able to manage data in compliance with the data-privacy laws coming from other states.
At Slalom, we're helping companies across the country and in many industries manage their data to comply with CCPA and any other applicable laws. Often, these companies are pleasantly surprised to learn that improving data governance for data privacy will help them to not only comply with regulations, but also improve their visibility into customer identities and behaviors, rationalize their technology, better integrate their data sources, and create new opportunities for better customer service.
Protecting consumers' data, it turns out, is more than another checkbox item for the compliance team. It's a new strategic opportunity for revenue growth and competitive differentiation.
Consumers are tired of having their data leaked in data breaches. They value their privacy, which seems to be eroding further every day. As a result, many consumers will give their business to organizations that demonstrate they take consumers' privacy seriously.
Our work at Slalom includes helping companies comply with privacy regulations like the CCPA as well as helping these companies realize the strategic benefits of championing privacy for data-breach-weary consumers.
7 Best Practices for Managing Data Privacy for Compliance and Growth
To put these ideas into action, here are seven best practices for managing customer data and data privacy for both regulatory compliance and business growth:
1. Assemble a cross-functional team
You may think data-privacy laws primarily concern the IT security team and perhaps Legal. But they're not enough. At a minimum, leaders from IT security, legal and marketing should all be involved.
Be sure to assemble this cross-functional team when the project begins.
Expect the marketing team to show up reluctantly at first, as they might not appreciate at first the value they'll receive by the company executing on its vision for compliance. But their reluctance typically turns to enthusiasm once they realize the project is going to deliver better customer insights and an opportunity to build the company’s brand.
2. Get legal advice from lawyers, IT advice from IT companies
We strongly recommend that you refer to counsel, either inside or outside your company, for advice about the details of specific pieces of data-privacy regulation. IT consultants and vendors can provide technology and data-privacy guidance.
3. Launch a discovery project to discover what customer data you have
Most companies can't identify all their customer data; even if they can, they probably don't know where it’s located. But you can’t manage, analyze or delete data if you don’t know where it is. So the first phase of any data-privacy compliance project should be data discovery.
Paying attention to existing data integrations and mappings can help. Look for fields such as FirstName and LastName. Then you’ll see where your data goes once it leaves CRM and other core applications.
4. Integrate data sources to develop a fast, easy and repeatable way of communicating what data you have to customers
Once you’ve identified where your company stores customer data, it’s time to decide which of those data sources you'll continue to support, which you'll combine or deprovision, and how the supported data sources will be connected. To make it possible for California consumers to review their data and submit deletion requests, you'll need to connect all these data sources to a web front end and, most likely, to a call center, too.
For the task of connecting data sources to one another or to some kind of customer-facing front-end, the unified Boomi Platform comes in handy. Boomi's low-code development environment, built-in crowd-sourced intelligence for integrations and transformations, and ability to connect to over 1,500 endpoints means you can quickly build the connections you need to your customer data, wherever it resides.
One of the key steps in data governance is master data management. Read our previous post on multi-mastering data to ensure your data is synchronized across multiple applications.
5. Build a Minimum Viable Product (MVP)
An MVP is a bare-bones solution for meeting a set of requirements. The MVP concept comes from Agile software development, which we've previously talked about in this blog post. An MVP lets you comply with project requirements – in this case, CCPA regulations – while making only minimal investments in time and capital.
This is true even if part of the compliance MVP relies on manual processes, such as routing requests by email or paper. Later, you can build in more automation and sophistication using a workflow platform such as Boomi Flow. But for now, with regulatory deadlines looming, the MVP gives you a workable process for discovering data and fulfilling customer requests within the mandated timelines.
6. Develop a strategy for 'Privacy by Design'
With new regulations taking effect and customer sentiment shifting strongly in favor of data privacy and data security, you can no longer consider data privacy something to be tacked on to your enterprise architecture. Instead, privacy needs to be considered in every IT project, a policy known as Privacy by Design.
Projects must be designed to support privacy and regulatory reporting. Privacy strategies should be nuanced enough to rank the importance of data and data privacy for various customer personas. By adopting this policy, IT organizations will give privacy the strategic attention it deserves.
7. Build your brand
Let your customers know that you have a data-privacy system in place, and assure them that their privacy is now your priority. Americans care deeply about privacy. You can see this in everything from Apple's billboards touting encryption to interviews with exasperated data-breach victims. In one recent survey, nearly three-quarters (73%) of Americans said their concerns about data privacy have increased, and just over two-thirds (67%) said they want the government to do more to protect their data privacy.
One way to demonstrate that you understand these concerns is by complying with CCPA. This and other new regulations present you with an opportunity to earn customers’ trust. Practice Privacy by Design, and show customers that you take their privacy seriously.
Beyond Privacy to a Stronger Brand and Bigger Profits
Follow these best practices, and you'll not only be well on the way to building the IT infrastructure needed for regulatory compliance, but you'll also have:
- A more efficient and better integrated enterprise architecture
- A deeper understanding of what customer data you have – and how it can be used for better customer service
- An opportunity to strengthen your brand and demonstrate how you protect your customers’ privacy
Data privacy, instead of being an afterthought for IT, turns out to be key to improving a company’s efficiency, security and profitability.
T.C. Sutton, Slalom's practice area director for integration and automation, also contributed to this post.
About the AuthorFollow on Linkedin Visit Website More Content by Jeremy Leonard