Seasons change and priorities change as we exit the dog days of summer and head into back to school timelines and waning days remaining of legislative sessions. This past month Shared Assessments Program Advisory Board Members and Steering Committee Members facilitated three separate educational events on privacy and third party risk in today’s dynamic landscape. Adam Stone and I kicked off the privacy dialog at an IAPP KnowledgeNet event; Brad Keller and I led a dialog at the August monthly forum call, and Norm Maley and wrapped up the month with a discussion on the BrightTALK channel on privacy developments.
So what did we hear? What did we learn? What do we need to study?
A common message is that when you combine privacy fines and enforcement actions with murky timelines for compliance to CCPA, risk professionals are confused on how to prioritize and focus their readiness efforts. Too much noise, chatter and confusion on privacy changes creates have put us into a bit of a state of analysis paralysis and confusion.
Here’s a quick recap of the top three “privacy hot topics” that shaped our discussions with attendees:
#1 Predicting CCPA enforcement timelines:
You’d think understanding when a state regulation comes into effect would be easy right? Wrong. There are subtle nuances to understanding the difference between the regulation being in effect and enforced. Here’s my crib sheet notes to summarize the key dates.
- The law goes into effect Jan. 1, 2020 and will be enforced no later than July 2020
- There up to 7 amendments to CCPA currently in motion within the CA state legislature by Sept. 13th, giving the Governor up to October 13th to sign or veto the amendments.
- The state AG has committed to publishing final rules in “Fall 2019” which given the rulemaking processing to allow 45 days for comment period, put us out to likely May 2020 as the earliest for full enforcement
The tricky question here – is that not all requirements under CCPA are dependent on the AG final rules. The right of private right of action is a good example. Plus the “look-back” obligations for responding to consumer data access rights goes back 12 months to Jan. 2019.
So how do you explain this to the C-Suite in your organization? Understanding CCPA and Planning for readiness address the “What” your organization has to know or study to be ready for being examined. The AG rules will provide the clarity on the “How” so you can prepare for the enforcement approach.
Bottom line – CCPA foundational readiness efforts for transparency of data use, sharing of data with third parties, and notices need to be past their midterms. The final AG guidance is simply the final exam after a year of privacy school.
# 2 Understanding changes to Privacy frameworks
While fines and enforcement are making media headlines, the common theme is figuring out privacy beyond just security controls in today’s digital landscape. Today’s digital disruption is bringing privacy obligations under new use cases and terminology, vs. focusing only on data protection.
ISO released its first International Standards for Privacy Information Management which specifies the requirements for establishing, implementing, maintaining, and continually improving a privacy-specific information security management system. NIST is on track to release the final version of its NIST Privacy Framework for comments and finalization by end of the year. The NAI has updated and released its self-regulatory requirements in an updated 2020 Code of Conduct for member companies. Changes are focused on the new products and technology used in digital advertising with updated obligations for companies’ data collection and use for digital advertising. Even the AICPA standards for SOC reports this year now include both privacy obligations and vendor/business partner risk management into the common control structure.
If industry acronyms and standards feel overwhelming, don’t worry, you are not alone. While each are focused on different areas of privacy definition, they all leverage common foundations for Fair Information Practices concepts and Generally Accepted Privacy Principles components. The frameworks and tools are mechanisms for both self-assessment and reviewing the maturity of your privacy program.
#3 Addressing differences in State Privacy Regulations
While California has the reputation to lead the way in privacy state regulations, other states including NY, MN, CO, NV and even Vermont have put their own stamp on privacy priorities. There are over 15 states with some level of privacy legislative activities, and over 7 have shifted the requirements on the definition of personal data. The Shared Assessments Q1 Blog provided the history and baseline facts about CCPA as the primary or study material.
Creating a checkerboard approach to privacy regulations can be inefficient and resource intensive, as we know given now a decade plus of state-by-state breach notification regulations. A common misperception is relying on exemptions or preemption as the sole compliance readiness approach. Even banking organization’s that have had programs in place for GLBA safeguards are not totally immune as aspects of CCPA apply to them. While states may take different approaches and timelines, responding requires an organization to assess, define, and deploy changes to procedures, standards and business processes.
CCPA, Privacy Frameworks, and State regulations are bringing privacy compliance and third party risk together from multiple perspectives. While the timelines are confusing, the best approach is to do your homework – be prepared by assessing the current state of how you address privacy risk.
- Identify the business processes that are impacted by changes to privacy regulations.
- Track which third parties’ access, process, store, or retain any classification of privacy data
- Prioritize your approach by reviewing your vendor inventory to identify the sub-set of third-party relationships that hat require stronger privacy oversight.
- Plan your approach and what resources you will need to implement changes on a quarter by quarter basis over the next 18 months.
- Create your elevator pitch to your C-Suite on what changes to privacy regulations mean to your organization and be able to convey in simple terms what you need for success.
The pace of privacy changes through either legislation or enforcement action is not going to slow down in the coming month. Risk professionals need to prioritize and plan to create repeatable processes and building blocks that can be leveraged across multiple drivers. Privacy pros and third party risk professional are becoming study buddies to address assessing all of these developments in the curriculum of privacy.