Becoming a Privacy-Resilient Organization 

By William T. Dykstra, CRMA, CIA; Pamela S. Hrubey, CCEP, CIPP/US; R. Michael Varney, CPA, CIA
Becoming a Privacy-Resilient Organization
With the proposal and passage of new legislation in multiple countries, the landscape for privacy and data protection is becoming increasingly complex. Educational institutions, not-for-profit organizations, and most businesses must adhere to new regulations.
Nearly 100 countries have enacted laws to protect privacy and personal data, and the vast majority are comprehensive laws that relate to personal data. (Exhibit 1) With threats to privacy and personal data becoming more pervasive in all areas of society, a steady increase in regulations is likely to continue. 

Exhibit 1: Highlights of privacy and data protection regulations

exhibit 1
Educational institutions worldwide have already become proficient in protecting the privacy of student records. Exhibit 2 shows the significant privacy protection laws that govern educational institutions and many not-for-profit organizations.

Exhibit 2: Privacy and data protection regulations in higher education

exhibit 2

The General Data Protection Regulation

Two recent regulations affect how organizations must provide individuals with even greater protection over their privacy and personal data. While one set of regulations protects EU citizens and the other set protects California residents, both regulations govern the interactions of any organization dealing with individuals who reside in those locations, no matter where that organization is based. 
The EU’s General Data Protection Regulation (GDPR) became effective in 2018, and it contains multiple requirements for organizations that process the personal data of EU citizens. GDPR compliance might require organizations to develop new processes (or enhance existing ones) for notification, consent, and data collection. Consent documentation must be written in language that is easily understood, and it must describe what personal data will be collected, how it will be used, and how and where it will be shared. In addition, a confirmed data breach must be reported to relevant authorities within 72 hours. Exhibit 3 is an example of a streamlined framework that summarizes GDPR compliance requirements.

Exhibit 3: Privacy and data protection-related organizational capabilities

exhibit 3
Many higher education and not-for-profit leaders might wonder if their organizations must comply with GDPR. In fact, GDPR is applicable to any organization responding “yes” to any of the following questions:
  • Do you conduct any recruiting or admissions activities either in the EU or with students residing in the EU?
  • Do you sponsor or administer any study abroad programs in the EU?
  • Do you recruit or hire faculty and staff residing in the EU?
  • Do you conduct research on human subjects within the EU or on individuals residing in the EU?

The California Consumer Privacy Act of 2018

The California Consumer Privacy Act of 2018 (CCPA) is the first U.S. regulation to take a comprehensive approach to privacy and data protection. Most prior U.S. regulations only provided a sector-based approach to protections. California is the first state to enact comprehensive privacy protections for its residents – consumers, patients, students, and employees. CCPA will become law on Jan.1, 2020, and will be enforced no later than July 1, 2020. Any organization that obtains personal information on 50,000 or more California residents annually, has annual gross revenues in excess of $25 million, or derives the majority of its revenue from selling California resident data must comply.

CCPA has been called the GDPR of the United States. It requires compliance from many organizations based in other states and countries. Under this regulation, California residents will have the right to request a record of their personal data held by an organization, to have that personal data erased, and to object to the sale of their information. Additionally, CCPA requires organizations to provide information on how the data is used and with whom it is shared. 

The law requires organizations to take proactive steps that include, but are not limited to: 
  • Establishing an identification verification process 
  • Providing data access request methods, including a toll-free number
  • Responding to data access requests within 45 days
  • Obtaining express opt-in consent
  • Preparing data maps and inventories of personal information that document critical flows and location of data
  • Updating privacy policies and disclosures to inform consumers of their rights
  • Avoiding discrimination against a consumer based on the exercising of any of the rights granted in the bill 
The penalties for noncompliance with CCPA include fines of up to $7,500 for each intentional violation and up to $2,500 for each unintentional act that is not remedied within 30 days of notice. Organizations whose data is breached or stolen are subject to fines of $100 to $750 per California resident (or actual damages, whichever is greater) in civil court. It is estimated that 200,000 or more U.S. organizations will need to comply with CCPA.  

CCPA passed quickly but is still undergoing review and comment, which might result in further revisions. It is expected that the underlying intent will remain focused on requiring organizations to provide data subjects greater control, transparency, and protection of their data collected by organizations. 

A resilient compliance approach

GDPR and CCPA requirements have established challenges for many organizations, especially those that must develop a tiered compliance approach to cover privacy protection for EU or California residents, separate or in addition to regulations governing other states or countries. With so many new laws covering various jurisdictions, many organizations are concerned about achieving compliance in a logical yet cost-effective manner.

One way to begin is to adopt a resilient framework for privacy and data protection that enables organizations to adapt and recover from difficulties or breaches quickly. Some organizations are applying generally accepted privacy principles (GAPP) as a framework. These principles can serve as a foundation to support compliance with a range of privacy regulations. 

Organizations that employ GAPP as a framework perform and provide the following:
  • Management. The organization defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
  • Notice. The organization provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
  • Choice and consent. The organization describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
  • Collection. The organization collects personal information only for the purposes identified in the notice.
  • Use, retention, and disposal. The organization limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. Personal information is retained for only as long as necessary to fulfill the stated purposes, or as required by law or regulations, and thereafter the organization must appropriately dispose of such information.
  • Access. The organization provides individuals with access to their personal information for review and update.
  • Third-party disclosure. The organization discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
  • Security for privacy. The organization protects personal information against unauthorized access, both physical and logical.
  • Quality. The organization maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
  • Monitoring and enforcement. The organization monitors compliance with its privacy policies and procedures and addresses privacy-related complaints and disputes.
The next step in driving the right privacy fundamentals is to use an existing ethics and compliance program, or, in the absence of an established program, use the seven elements of an effective compliance program model. These elements create a structure for adoption of programs as diverse as enterprise risk management, anti-bribery, anti-corruption, and conflict minerals. 

Exhibit 4 shows how an effective program comprises seven elements, each of which can serve as a launch point for implementing a framework such as GAPP in a structured format or to enhance an existing compliance and ethics program to include privacy. Certainly if an organization does not have an existing program, privacy and data protection regulatory requirements are good reasons to put one into place.

Exhibit 4: Ethics and compliance program elements

exhibit 4
To develop or strengthen an ethics and compliance program that includes strong privacy fundamentals, organizations might consider the following actions and best practices: 
  • Elevate the position of chief privacy officer or data protection officer. Avoid burying the role in a legal or technology function. 
  • Discuss privacy and data protection at senior-level meetings. Make sure senior leadership understands why privacy and data protection is critical to maintaining and protecting the organization’s reputation.
  • Create policies and procedures that are easily understood by nonexperts. Strive for clarity in the language used in policies and procedures. 
  • Establish policies and procedures well in advance to enable fast response in case of a data breach or other event.
  • Train constituents to help them better understand policies and procedures and their relevance under the new privacy regulations. 
  • Use short, frequent communications delivered through different media. Communication should be directed both upward and downward to touch all levels of the organization.
  • Consider having an independent third party periodically perform an independent assessment – an action that might eventually become a regulatory requirement. Many regulations advise organizations to operate in an audit-ready mode.
  • Conduct and discuss investigations related to privacy and data protection matters while protecting the privacy of those involved.
  • Identify the root causes of privacy failures and take actions to prevent repeat occurrences.

Proactive preparation

Becoming a privacy-resilient organization takes time and effort, but is achievable when approached in an organized manner. While compliance is mandated and varied across multiple jurisdictions, if organizations remember that the main goal of many of these regulations is to provide data subjects greater control, transparency, and protection of data collected, the perceived complexity can be reduced. 

Compliance with regulations can generate results both internally and in the marketplace. Organizations can benefit from engaging with those who have advanced knowledge in navigating the complexities of privacy and data protection in a wide range of jurisdictions and circumstances.

Contact us

Bill Dykstra
Pam Hrubey
Pamela Hrubey
Principal, Consulting
Mike Varney - social
Mike Varney
Partner, Consulting