Are privacy regulations truly effective in improving corporate privacy practices?

More privacy regulations are coming—that much is clear. In the U.S., we hear from the states that they do not want to sit idly by while the federal government procrastinates on passing a comprehensive regulation. Meanwhile, large companies are lobbying Congress for an omnibus regulation that will preempt the patchwork of state regulations. The recent outcry to break up the big tech companies will likely lead to more lobbying by these deep-pocketed companies to pass a regulation that pacifies politicians and consumers. Internationally, we see different countries taking steps to enact new or update existing regulations that are more in line with Europe’s GDPR.

However, are omnibus privacy regulations like the GDPR, PIPEDA in Canada, or recently POPI in South Africa, to name a few, truly effective at improving the privacy practices of companies? The problem with such regulations is that they are so high-level and address so many topics that they don’t yield true compliance, but rather a more superficial response.

Look at the GDPR. Yes, companies have updated their notices, and we certainly have to consent more often to cookies every time we visit a website but do companies that claim to comply with the GDPR really have better control over the petabytes of personal information they process? Do they know under what notice the personal information of different individuals was collected? What obligations apply to different data subjects? When those companies receive a data subject access request, do they really look across their systems for the data? Do they know which of their many processors have access to GDPR-impacted data? The list of questions about effective compliance is long, and the answer to the questions is often no.

Enforcement does not seem to encourage a real change in how companies treat data. We see headlines about big online companies being fined, but most companies tend to think that enforcement is for the edge cases of leading global brands, rather than the marketplace as a whole.

Even when regulators do enforce some aspects of these laws, they don’t go for the real data details; because more often than not, they either don’t understand the details or don’t have the capacity to dig deep—or they don’t believe they could expect any major change even if they were to dig deep. As a European regulator told me recently when I asked why his agency does not call out companies about not even knowing where all their personal information is: “We don’t want to discourage them.”

Regulations can be made more effective in changing companies’ attitudes and behavior by adding implementation specifications to make regulations “stick.” Here are a few ideas on how the right degree of specificity can make a difference in privacy regulations…

Make it about the data—all of it

Regulations tend to focus on the individuals and the actions companies will need to take once the regulation comes into force. That leaves a lot of legacy personal information taking a lower priority in any compliance preparatory work. To be effective, regulations should require companies to take steps to find all the personal information that may exist or be processed (or hidden) across their enterprise—to know who it refers to, why and when it was collected, how relevant and accurate it is, where copies are kept, and whether it is protected appropriately. The regulations should also be clear about what companies should do with personal information that cannot be validated to that extent.

Make it real with sector-specific requirements

Effectiveness in privacy management can vary greatly between industries. A regulation that calls for the development of industry-specific implementation requirements can be helpful for both the implementing companies and for the regulators that need to enforce those regulations fairly.

Take a cue from the SoX model

Section 404 of the Sarbanes-Oxley Act set high-level requirements for the handling of financial systems of publicly traded companies. To operationalize these requirements in a manner that meets these regulatory requirements with consistency, the market—with encouragement from the regulators—adopted a detailed framework of controls: Control Objectives for Information and related Technology (COBIT). This control framework allowed organizations to design and implement effective controls for their accounting and financial systems and their auditors to test the effectiveness of the controls and attest to it. Why can’t we have a privacy COBIT to follow? A detailed privacy controls framework, one that is regulation-agnostic but addresses the implementation of common privacy principles, can bring about the effective regulations we need.

Recommended Reading:

On the need for effectiveness in privacy and data protection

Businesses are spending on cybersecurity, but failing to implement basic cybersecurity practices
Just 36% of UK IT leaders are confident that their company’s current IT systems provide adequate protection against cyberattacks.
Verdict

As 5G Technology Expands, So Do Concerns Over Privacy
More privacy risks with 5G raises the need for more granularity in privacy controls.
Wall Street Journal (WSJ)

Organizations should be doing more to achieve privacy accountability
When it comes to monitoring internal performance in relation to data protection standards, many organizations were found to fall short.
ICO

NIST’s Privacy Engineering Collaboration Space
The U.S. National Institute of Standards and Technology has launched its Privacy Engineering Collaboration Space, an online portal where practitioners can help develop open-source tools, solutions and processes.
NIST

ICO’s McDougall: ‘We’re losing a battle for trust,’ but there’s a solution
People are losing trust in modern business and innovation. The reason? “Every time we create something cool, we are not bringing people with us. This trust deficit widens and widens.”
IAPP

Virginia proposes new privacy statute imposing ‘duty of care’
Businesses must take reasonable steps to demonstrate duty of care by disposing of customer records within their custody or control.
IAPP

https://www.cyberscoop.com/third-party-risk-cybersecurity-nist-800-171-sig-questionaire/
CISOs are moving to an assessment model that requires vendors and corporate partners to verify their practices work as intended.
Cyberscoop

Most Companies Aren’t Ready for California’s Tough New Privacy Law
Companies will have to create complex tools that will identify the data they collect, organize it, and give consumers easy-to-use technology to delete it.
Fortune

More on the calls to break up big tech

Elizabeth Warren Calls for Breakup of Amazon, Google, Facebook
Democratic presidential hopeful puts the spotlight on antitrust in tech industry ahead of 2020 campaign.
Wall Street Journal (WSJ)

Facebook, Google and other big tech giants are about to face a ‘reckoning,’ state attorneys general warn
Some of the country’s most influential state attorneys general are signaling they’re willing to take action against Facebook, Google and other tech giants, warning that the companies have grown too big and powerful — and that Washington has been too slow to respond.
Washington Post

Apple launches major ad campaign touting privacy practices
Apple is launching a major advertising campaign highlighting its handling of user privacy as the company hopes to set itself apart from other tech giants.
The Hill

TRIAL OFFER!

DgSecure OnDemand Free Trial