It is nearly impossible for organizations to be 100 percent compliant with their legal privacy obligations. Digital business ecosystems are constantly changing, creating new risks and areas of non-compliance. Meeting requirements and preventing breaches and incidents requires continuous diligence, and while some organizations take this seriously, others meet compliance once and say, “Whew; we’re done!”
5 data privacy mistakes to avoid
Even the most diligent organizations overlook some privacy issues. Here are five privacy mistakes no organization should make.
1. Addressing privacy only occasionally
Failing to perform ongoing privacy management activities is the most common mistake organizations make. I’ve helped hundreds of businesses of all sizes with privacy management activities, and the most common statement I hear from CxOs is, “We performed a risk assessment, have policies and procedures, provide new employee training, and use privacy clauses within third-party contracts. We’ve met our privacy obligations and don’t need to spend any more time or money on privacy.”
This laissez-faire attitude results in insufficient privacy and weak security controls and creates vulnerabilities as business changes occur. The subsequent risks may be exploited, resulting in security incidents, privacy breaches, bad press, lost trust, unhappy customers, and often, lawsuits. Auditors and regulators will identify these vulnerabilities, possibly resulting in significant non-compliance fines and penalties.
[ Also read: Digital transformation: 3 focus areas to prioritize in 2022. ]
The ISACA Privacy in Practice 2022 survey supports this trend, reporting that only half of survey participants perform ongoing risk management and monitor compliance and enforcement. Only 33 percent address the risks of new technologies.
2. Believing data protection laws apply only in the location where they are based
This is a common misconception, and it’s a view that’s shared by too many lawyers – the ISACA Privacy in Practice survey reports 50 percent of respondents have a skill gap in understanding the laws and regulations for which they must comply.
It is a mistake to act on laws that apply only in the geographic location of business operations. There might be privacy regulations/compliance issues that apply to a company beyond those that exist where the company is located – for example, a company headquartered in New York might have customers in Europe, and some European data privacy regulations likely would apply beyond any U.S.-based regulations.
This is a significant problem with breach response laws. A large number of U.S. organizations follow the requirements only for their own state or territory. There are at least 54 U.S. state/territory breach laws, so this belief could be very costly.
Privacy management programs should apply to all applicable laws and regulations of the associated individuals and also synthesize all requirements so that one set of procedures can be followed to address the common requirements, in addition to meeting unique requirements for specific laws.
Many organizations are also overconfident that they will not experience a privacy breach, which leaves them unable to respond effectively, efficiently, and fully when a breach does happen.
3. Believing compliance with one regulation equals compliance with all others
Complying with one major regulation will sometimes meet many requirements of other laws. However, there are differences, including unique requirements for specific laws that must be met.
For example, a California-based financial business that opened locations in the EU believed that CCPR had the same requirements as GDPR. So they took no additional compliance actions in their new EU locations.
Consider that GDPR requires organizations to have at least one of six acceptable legal bases to process an individual’s (aka data subject’s) personal data. However, CCPA generally does not require a legal basis for processing personal information, and there are several other differences.
It is a mistake to assume that CCPR compliance fulfills all GDPR requirements. This incorrect belief could result in significant fines, penalties, and lawsuits.
All organizations should understand that while there are many similar requirements for laws and regulations, there will usually be additional requirements to meet.
4. Noncompliance with the organization’s own privacy notice
I’ve done privacy impact assessments (PIAs) for nearly 20 years. At the beginning of each PIA, I gather the key stakeholders into a room. When describing the PIA goals, I ask the stakeholders (typically including the CxO): How many of you have read the privacy notice posted on your website? Usually, only 5-10 percent raise their hands. Then I ask those with their hands raised: How many of you ensure areas with obligations created by the privacy notice take actions to fulfill those obligations? Usually, all the raised hands go down.
If an organization’s business leaders don’t even know the promises in the privacy notices, the employees they manage will not perform the activities necessary to fulfill those promises. Hundreds of penalties have been issued under Section 5 of the FTC Act for not complying with privacy notices. For example, MyLife and its CEO faced fines of $33.9 million in December 2021 for deceptive practices and violating their privacy notice.
5. Not providing effective and regular privacy training
Most organizations do not provide sufficient and effective security and privacy education, and when they do, it rarely results in employees working in a more secure privacy-protecting manner.
For example, gamification-based training is fun and can supplement training, but it usually does not address specific work activities. In addition to general privacy training, more frequent training should be provided covering a variety of topics specific to employees’ work activities. There should also be touchpoints between various trainings that remind employees to perform work activities in ways that support privacy and keep personal data secure.
The ISACA Privacy in Practice 2022 survey reveals only 13 percent provide quarterly training, and 13 percent don’t know if training is provided or indicate that training doesn’t occur.
Organizations should provide effective ongoing education that explains how to perform work activities that support privacy and safeguard data, or breaches and incidents will occur. Without awareness, organizations may not even know a breach has occurred until lawsuits are filed against them.
Where is your team's digital transformation work stalling? Get the eBook: What's slowing down your Digital Transformation? 8 questions to ask.]