A new study found that 95 percent of CIOs say their role is expanding to include new responsibilities in cybersecurity (64 percent), data privacy/compliance (49 percent), and customer experience (46 percent).
This makes sense, given the recent privacy compliance regulation policies like the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). The stakes for corporate trust and brand reputation are at an all-time high, so how can CIOs make compliance a top priority while balancing other business and IT needs?
The tsunami of personal data breaches has been a driving force of these new pressures: The top 15 incidents from just the last 20 years have compromised more than two billion user accounts. As a result, regulators have increased their focus on personal data privacy, and GDPR-like legislation is finally making its way across the Atlantic with the rollout of the CCPA.
[ The right tools can help organizations utilize big data while protecting individual privacy: How to do big data without being creepy. ]
Nevada and New York have introduced their own privacy regulations. Canada and Mexico, as well as Texas, Washington, and many other U.S. states are actively watching the upshot as personal data protection takes hold in California. If this trend of state-level privacy laws continues, CIOs and IT teams will be responsible for implementing the ins and outs of each state-wide law — meaning all data they store must remain compliant across the board.
To prepare for the year ahead, here are five things CIOs need to know about privacy compliance in 2020:
1. Customer trust wins out
Consumer trust or brand perception can be significantly impacted by privacy and compliance issues, but this business function is often overlooked because CIOs and IT leaders are constantly moving at a fast pace, with one common desire: to innovate. However, the stakes are too high for the consequences of data breaches to be neglected. For example, the year following Target’s breach in 2014, the retailer’s brand perception experienced a 54.6 percent decline.
The aftermath of a data breach at a large corporation can lead to a lot of internal finger-pointing. Often the responsibility falls on the IT team, due to unforeseen flaws within the technology infrastructure or a lack of security protocols. The financial impact and the significant damage to brand loyalty are two key factors that create tension between departments. To put a price tag on the damage, a recent study found that a lack of customer trust costs brands $2.5 trillion per year.
To remain competitive, business leaders must understand that the costs of a data breach go far beyond legal and settlement payouts, with effects that will impact business goals for years to come. Therefore, when complying with regulations such as CCPA, companies can also see these efforts as a way to earn trust by establishing processes to protect customer privacy and data.
2. The impact of compliance regulations and missing deadlines
CIOs and IT leaders need to recognize the full impact that compliance regulations have on businesses: Frankly, failing to do so could cost you your job. CCPA imposes stiff penalties on those that misuse and resell consumers’ private information, and these fines are only going to become more stringent. This includes a company’s failure to recognize the business value of bringing privacy compliance data together. Overlooking this approach will hurt in the long run because IT teams won’t benefit from the power of connected data and how it supports cross-functional departments for business analysis.
The CCPA act went into effect on January 1, 2020; however, enforcement of the law won’t begin until July 1, 2020. Between now and then, it’s a mistake for companies to adopt a “watch and wait” approach. Instead, I recommend using a first-mover advantage to differentiate your brand against the competition.
Companies that don’t comply with the CCPA act will suffer a maximum penalty of $7,500 and a minimum of $2,500 for each event. At first glance, this may not sound steep, but consider that consumers are also paid between $100 and $750 per person per event, and the financial impact rises exponentially.
3. Gaining visibility and understanding data access controls
It’s essential for CIOs and IT leaders to understand how their IT department is storing private consumer information, and most importantly, who has access to it. This involves data organization, which can be difficult at first but in the long term has other advantages, like connected data (as mentioned above).
Understanding data access controls includes providing the right levels of transparency and traceability for personal information. If consumer data is collected, the movement of personal data across an organization is inevitable. The events associated with moving personal data need comprehensive tracking mechanisms put in place for data that’s flowing through internal and external systems, thereby ensuring complete visibility of personal data at all times.
To meet the personal privacy requirements of CCPA, GDPR, and other regulations, I recommend that CIOs and IT leaders answer these questions:
- Data elements: What data do you have? Where is the data stored? Why do you have the data?
- Data sources and uses: How and when did you obtain the data? How does the data travel through your systems? Do you have permission to use the data, and for what purpose?
- Data security: Is the data secure? Who has access to the data? Does the data ever cross international borders?
Now you're ready to take a data inventory and pick a framework: