The transparency-induced pain of the GDPR and CCPA

Reading the news about data protection and privacy in the first two months of the year suggests that companies are responding in a very human way to the pressures of new privacy regulations. Whenever we (humans) are faced with a new threat or painful experience, we become suspicious of the possible causes of those threats and pains and start looking for new ways to avoid them—so we can go back to the way things were before, back into our comfort zones. Let’s face it: without threat or pain, there would be little to no innovation in the world.

For example, when it was determined that high cholesterol increased our risk of heart disease, pharmaceutical companies invested significant resources in finding new medications that would let us continue to eat the fried, sugary foods we love so much. When the highway patrol started using radar guns, manufacturers created radar detectors so we could avoid speeding tickets. Now, while the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are the result of a threat to personal data privacy, they are also threatening the very lifeblood of digital business—and innovative companies are starting to respond.

GDPR and CCPA require a new level of transparency that poses a threat to the way companies handle personal information. Both regulations bring greater weight and compliance challenges to an old privacy transparency principle, commonly referred to as Data Subject Access Requests (DSAR). Beyond DSAR requirements, the GDPR adds another dose of painful transparency with breach notification requirements. While California already had a breach notification regulation in place, the CCPA requires an additional level of transparency in how companies share personal information with third parties. It forces companies to open up about areas of the business they would have preferred stay secret: the inappropriate handling of information and the widespread sharing of personal information with vendors and partners. Our current predicament with GDPR and CCPA is leading companies to innovate in search of solutions that will allow personal information to flow with limited consequences.

We should remember that privacy regulations have put us on a similar path before. In 2003 California passed the first breach notification regulation in the US, soon to be followed by 47 other states. Reputable companies found themselves on the front pages of newspapers, having to take responsibility for poor information-handling practices. The pain and embarrassment of breach notification had to be contained, so innovation quickly followed with a solution—Data Loss Prevention (DLP) technology. DLP is far from a panacea for breaches, but it was the common solution companies adopted so they could feel comfortable enough to continue to operate quickly and efficiently with data as before.

There is a race going on today to develop a winning technological approach to the granular control of personal data required by the GDPR and CCPA. What solution will take the lead in addressing these operational pain points, just as DLP did for the breach notification requirements of the early 2000s? For now, it is too early to tell, but this blog will keep tracking it.

Recommended Reading:

More on the GDPR and CCPA

Over 59,000 data breaches reported in EU since GDPR
In January, we learned that since the GDPR went into effect in May of 2018, close to 60,000 breaches were reported in the EU—a rude awakening for those of us under the impression that personal information is better protected in the EU than in the US.
ITProPortal

On data privacy, state AGs say they’re following California’s lead
In this article from State Scoop, we learn that CCPA may be contagious, as other states are getting ready to enact similar regulations.
State Scoop

Senate Banking panel kicks off talks on data security bill
This article from The Hill indicates that leaders of the Senate Banking Committee recently kicked off a push to write stricter data collection and security standards for financial institutions. The Committee asked for input on ways to give consumers more control over the personally identifiable information collected by both financial firms and regulators.
The Hill

Fake DSARs: They’re a thing?
In this aptly titled article from the IAPP, we learn about the operational challenges faced by organizations as they are addressing DSARs.
IAPP

With pain comes suspicion

Apple’s Cold War Over Privacy Turns Hot
In these two articles we see the impact of regulatory pressure on the relationships between business partners. The first article from the Wall Street Journal focuses on Apple and the steps it takes against business partners that reach for too much data through their devices.
Wall Street Journal

UnitedHealthcare to stop sharing claims data with HCCI
The second article covers a similar situation where UnitedHealth Group is taking steps to protect personal health information. As UHG’s spokesperson says in the article, “Many companies are revisiting their partnerships to get ahead of any potential risks.”
Beckers Hospital Review

Looking for solutions

Privacy Ops: The New Nexus for CISOs & DPOs
This article in Dark Reading approaches recent challenges from an organizational governance perspective and is calling for a formal separation between privacy compliance functions and “Privacy Operations.” While many organizations already take steps that can be described as Privacy Operations, the article does make a good argument for why formalizing these roles and providing them with adequate resources can be an important part of the long-term solution we seek.
Dark Reading

The post-digital era is upon us
In a new research report about the post-digital era, Accenture is suggesting that the tools we need to adopt to be commercially successful can also provide the greater control we need over personal information. The report speaks of the requirement to control personal information at the identity level to compete effectively for the individualized experiences consumers crave. If companies are incentivized to clearly distinguish between their consumers to win more business, the ability to control data for privacy compliance purposes would no longer be aspirational.
Accenture

Popular Apps Cease Sharing Data With Facebook
This Wall Street Journal article reviews the reaction of app companies to news coverage about their sharing of sensitive information with Facebook. While a Facebook spokeswoman said that such data sharing is “industry-standard” practice, several app companies were quick to announce that they will stop that sharing. With privacy solutions in mind, the more interesting part of the article is Facebook’s response to the matter, saying it is working on new systems to detect and block uploads of such information by apps.
Wall Street Journal

Cisco 2019 Data Privacy Benchmark Study Shows Organizations Gaining Business Benefits from Data Privacy Investments
And to close on a positive note, that touches on both the notion of Privacy Operations as a new professional path and the post-digital market direction that focuses on greater control over personal data, we have Cisco’s new data privacy benchmark study. The study provides evidence of ROI for companies that invest in privacy, from using privacy as a competitive differentiator to the benefits of shorter sales cycles.
Cisco Newsroom

TRIAL OFFER!

DgSecure OnDemand Free Trial