New Decade New Strategies: 5 Privacy Regulation Action Steps to Take in 2020
January 14, 2020
It’s a new year – and a new decade – and major scenarios abound for corporate decision-makers tasked with privacy management going forward.
That group includes compliance officers, risk management and security executives, and data analysts responsible for the dissemination, storage, and management of sensitive company information.
In fact, the company management of personal and institutional data is deemed as the biggest privacy risk for 70% of global companies, according to Gartner. That’s up from just 10% two years ago.
Couple that with the emergence of new data protection and privacy mandates – like the European Union’s General Data Protection Regulation (GDPR) and the brand new California Consumer Privacy Act of 2018 (CCPA), which seek to bolster individual’s personal data – and corporate data managers will have their hands full in 2020.
“Multiple countries are implementing regulations inspired by the GDPR principles, a movement that is likely to continue into the foreseeable future,” notes Bart Willemssen, a senior director analyst at Gartner. “These privacy requirements dramatically impact an organization’s strategy, purpose, and methods for processing personal data. Furthermore, breaches of these requirements carry financial, reputational and regulatory implications.”
That isn’t hyperbole. If Euroland companies run afoul of GDPR regulations, they’ll face financial penalties of either 4% of their annual global revenues or 20 million Euros in fines. The CCPA calls for cash penalties of between $2,500 and $7,500 per violation, with no ceiling on the number of fines the state attorney generals can levy on California companies.
Data Protection Issues and Actions in 2020
In that context, what trends are developing and how should companies properly manage changes, threats and opportunities revolving around data privacy issues in the new year (and a new decade)?
These five action items should be at the top of any data privacy “to do” lists:
Do your due diligence – and do it daily. Stricter data privacy regulations call for more disciplined research and study.
Consequently, stay abreast of data privacy news by establishing a daily alert via Google News, and use it as a pipeline for fresh updates on data compliance news and regulations. Regulatory compliance officials and other C-Level executives can also join the burgeoning number of data privacy groups like the International Association of Privacy Professionals, which can also provide news and updates. Additionally, other members can act as a sounding board to provide counsel on data security trends and issues.
Pull back the lens on company-wide data privacy management. Company managers responsible for data privacy should take an “upstream/downstream” view on securing company data, to better protect customer data privacy. That not only means knowing where your company resides at all times and knowing who makes use of it, it also means understanding how that data is protected.
For example, company data regulators should never grant third parties access to company data without proper vetting and fully understanding how an outside party will use that data.
As 2020 dawns, the era of a wild west mentality, where too many “unknowns” get access to company data is clearly over. A full sale upstream/downstream approach to data privacy management will let any interested party know there’s a new sheriff in town.
Stay ahead of privacy management tasks. All too often, companies trying to keep up with new risks, and compliance regulations wind up falling behind – often inadvertently. Software updates aren’t addressed, management talent comes and goes, and profit-generating company initiatives wind up taking all the oxygen out of the room, elbowing data privacy initiatives out of the picture. Don’t let that happen to you in 2020, a year where the risk of regulatory action grows substantially higher.
That means getting out of “catch-up” mode and making sure data protection is an ongoing, even daily management task.
Put a good team together and have a contingency plan if a key manager or staffer leaves. Assign an IT specialist to make sure your company is keeping apace of regulatory software updates and deadlines. Have a data privacy task force manager responsible for checking in on a regular basis with updates and potential issues to cover. Schedule regular audits among company data sources and make them prove that their data management processes are compliant.
Now, more than ever, data privacy management is a “front-of-the-store” priority – and allowing it to slip to the back of the company task management list is a recipe for failure.
Get good regulatory compliance help. If you don’t have a compliance officer on hand (and in this regulation-heavy era, you should), hire an outside consultant who can help manage your company’s data privacy management process. A regulatory specialist steeped in the intricacies and nuance of ever-changing data privacy regulations and rules can help you steer clear of trouble and can wind up paying for itself as your data risk management strategy starts paying dividends.
Find a good third-party risk management specialist by asking business partners and acquaintances for leads, checking regulator’s updates and newsletters, or by attending regulatory technology meetings, dinners, and conferences and gathering information.
Establish a company digital ethics board. These days, it’s not enough to only have a risk management and compliance team working on data management issues. Too often those teams are mired in the day-to-day tasks associated with data compliance, and there’s no time to take the long view.
That’s where a digital ethics board can help.
Big picture issues related to data privacy like artificial intelligence machine learning, blockchain, among other game-changing trends, require a robust, long-term ethical policy. Key areas to cover with your data ethics task force include the intended use of data using new technologies, managing potential company-wide bias in how data is used, and how the never-ending flow of corporate data should and will be governed over the long haul.
Given the increasingly onerous regulatory climate data managers face, these considerations aren’t luxury – they’re a necessity.
Asif Alam
CEO & Board Member
Asif Alam is the Chief Executive Officer at Compliance.ai. A leader in shaping disruptive technology, his experience includes building products using AI and natural language processing for GRC, payments, lending, risk, trading, and new solutions, from Fortune 500 companies to startups.
In his most recent role, he served as the Chief Strategy Officer of ThoughtTrace, unlocking new revenue streams and markets, and reignite portfolio growth. ThoughTrace was then acquired by Thomson Reuters in 2021.
He brings more than 20 years of management and business experience; increasing profitability, unlocking new revenue streams and markets, and reignite portfolio growth for companies like Thomson Reuters, Crux Informatics, and Finastra. Asif is a forward-thinking expert driving engagement via client forums, public presentations, and white papers.
Cesar Lee is a Principal at WRV, a venture capital fund focused on early-stage investments in hardware, semiconductor, and other technology-related companies. Previously, he was an investment professional at Riverwood Capital, a technology-focused, late-stage venture capital, and private equity fund. He began his career at RBC Capital Markets, where he was part of the Mergers & Acquisitions group for two years and the Equity-linked & Derivatives group for one year. While at RBC, Cesar spent a majority of his time working on M&A advisory transactions for technology companies.
Cesar’s investment experience includes buyouts, later stage, early stage and seed rounds. Cesar has completed transaction in the U.S., Latin America, and Asia, and in technology sectors including data centers, software, semiconductors, consumer electronics, robotics, big data, and internet.
Maria Devassy is a RegTech, Content, and Technology leader with over 20 years of experience helping companies bridge the gap between technology, product, and business. Maria has held leadership positions with MetricStream, KPMG, Oracle Corporation, and other technology companies. She has launched several successful RegTech products, business partnerships, and advised Fortune 100 clients on risk management, audit, advisory, and compliance business across Industries.
Hugh Cadden is a recognized expert in derivative financial and trading markets including futures, options, and swaps. Hugh is currently a senior consultant and expert with OnPoint Analytics, Inc. an economic, finance and statistical consultancy specializing in expert testimony for complex litigation. He has been specializing in the organization, operation, and regulation of financial and trading markets for over 40 years. Hugh’s experience includes both the public and private sectors and he has held senior level positions with the U.S. Commodity Futures Trading Commission including serving as Director of the Division of Trading and Markets and Deputy Director of Enforcement. He has been qualified as an expert on financial and trading market matters before the Commodity Futures Trading Commission, the Securities and Exchange Commission, the U.S. Tax Court, Financial Industry Regulatory Authority, National Futures Association, American Arbitration Association and federal courts.
Drake Ross is a former bank regulator who specialized in compliance with consumer protection regulations while at the OCC, FDIC, and OTS. While at these agencies, he provided extensive training and guidance and developed materials to ensure full comprehension and proper application of rules, laws, policies, and guidance, and served as a Subject Matter Expert in numerous areas. Because of his expertise, he often presented at agency and industry events. He also played a significant role in successful windup of the 2008 IndyMac Bank failure, where because of his extensive knowledge of the FDIC deposit insurance regulations, he was called upon to administer highly-complex insurance determinations.
Carliss Chatman is an Assistant Professor of Law teaching Contracts, Agency and Unincorporated Entities, Corporations, and Transactional Skills. Her work is influenced by over two decades of service on non-profit boards and involvement with community organizations. Through leadership positions, she has developed expertise in corporate governance and non-profit regulation. She has also been instrumental in strategic planning and fundraising efforts. Prior to law teaching, Professor Chatman was a commercial litigation attorney in Houston, Texas. In practice, she focused on trial law, appeals and arbitration in pharmaceutical, health care, mass torts, product liability, as well as oil, gas, and mineral law. In addition to negotiating settlements and obtaining successful verdicts, Professor Chatman has also analyzed and drafted position statements regarding the constitutionality of statutes and the impact of statutory revisions for presentation to the Texas Legislature.
Sign me up for all regulatory updates
Get access to EITL Forum recordings
Mariam is an Operating Principal at Cota Capital. Mariam has experience providing guidance on strategic and operational planning to Venture and Growth stage companies. Prior to Cota Capital, Mariam spent her career in management consulting as a Director at KPMG. She has experience leading global transformation programs and developing innovative service offerings for Fortune 500 companies in the Technology sector. Mariam has an MBA from UCLA’s Anderson school of management with an emphasis in Finance and Entrepreneurship. She has a Bachelors in Science in Finance and a Bachelors in Science in Economics from Santa Clara University.
Chris Callison-Burch is an Associate Professor in Computer and Information Science Department at the University of Pennsylvania. His research interests include natural language understanding and crowdsourcing. He has served the Association for Computational Linguistics as the General Chair for the ACL 2017 conference, as an action editor for the Transactions of the ACL, as an editorial board member for the Computational Linguistics journal, and an officer for NAACL (the North American chapter of the ACL) and for SIGDAT (the special interest group for linguistic data and corpus-based approaches to natural language processing)
Tom Ladt is an experienced executive and investor. Tom has lead and served on the boards of several public and private companies serving highly regulated industries such as technology, healthcare, real estate, and food processing. Tom has also served in key governmental roles and on numerous community boards.
Jeroen Plink is a global executive with a proven track record of developing and growing businesses, teams, and technologies with innovation and passion. Jeroen was CEO of Practical Law US during its acquisition by Thomson Reuters. He now serves on numerous boards and acts as a strategic consultants for start-ups.
Global Legal and Compliance executive with 15+ years of success in the SaaS technology and financial services industries. Partner to the CEO and executive team in corporate transactions, business development, product expansion, and regulatory navigation during periods of intense growth and organizational change. An advocate of effective risk management that starts with sound business practices and putting the customer first.
Richard Dupree has held multiple Risk, Compliance and Operations positions at regional, national, and global financial services firms including Wells Fargo, Silicon Valley Bank, Bank of the West and BNP Paribas. Rick currently advises FinTechs and RegTechs and sits on industry panels, contributes to industry whitepapers, thought leadership efforts, and speaks at industry seminars on Risk and Compliance challenges faced by banks and FinTechs.
Brian advises clients on legal and regulatory compliance in the financial, tech, and procurement sectors. His passion is helping businesses succeed in heavily regulated environments. As counsel and trusted advisor to businesses of all sizes, and as a former regulator, policymaker, and federal official, Brian acutely understands the unintended burdens that even well-intentioned government requirements can put on innovation and business growth, as well as how to create policies that strike the right balance.
Brian served as National Ombudsman in the Obama Administration, leading the federal Office of Regulatory Enforcement Fairness in assisting hundreds of startups, entrepreneurs, and small business owners in every industry and every state.
Dr. Marsha Ershaghi Hames is Managing Director of Strategy & Development at LRN, a leader in advising and educating organizations about ethics and regulatory compliance, as well as corporate culture, governance and leadership. With the focus of inspired behavior versus required behavior, LRN is a leading voice in the industry for companies to build ethical cultures instead of “check-the-box” compliance approaches. She’s advised Department of Justice corporate monitors on successful program transformation under CIAs (Corporate Integrity Agreements. With over 20 years of experience in leading multinational ethics and compliance strategies, Marsha has become a highly sought-after thought leader on leading Corporate Compliance and Ethics practices.
Carla Carriveau is currently the Senior Managing Counsel at Wealthfront, an automatic investment service firm in Redwood City, California. Carla was previously Senior Counsel, Division of Trading and Markets, at the United States Securities and Exchange Commission. As a former regulator with over 15 years of experience in helping small businesses navigate legal and regulatory needs in the financial services sector, Carla advises Compliance.ai on financial services regulation, the regulatory landscape and industry practices.
