Working remotely? Why now could be the perfect time to review your privacy program.
As we find ourselves in the midst of a pandemic, an earthquake, a toilet paper shortage (?), stock market volatility, and social distancing, it’s tempting to ease the stress (and I’m not speaking from experience here, ha!) by watching dog/cat videos, scrolling “the Gram”, or browsing the latest memes online. All of these can serve as a great distraction from the stress and also from one’s day job. Sitting in my home office, trying my hardest not to distract my wife from her own job, I started brainstorming about things businesses can do remotely through virtual technology to ensure their privacy program and privacy prep doesn’t fall behind. Here are a few recommendations that can certainly take your mind off the outside world and also ensure that the business is staying on top of its privacy requirements.
Data Inventory/Data Map
First and foremost is the data inventory/data map/record of processing. If you do not have one, the time to build one could be now. The individuals responsible for completing the questionnaire are online and busy chatting with one another via Teams as you read this. Why not use some of this social distancing time to complete the questionnaire? We’ve heard from our clients that working remotely is providing time to focus on some of the projects they have been putting off.
Now, I can’t blame anyone for procrastinating on a data inventory questionnaire, but this remote time could be the perfect time to focus on this task. If your business already has a data inventory, perhaps for GDPR or another privacy regulation, when was the last time this was updated or reviewed for accuracy? Was it 2018? Perhaps around May 25th for some reason? If so, it’s time to revisit and ensure it is representing your business’ personal data processing activities. Inventories are rarely accurate if left idle and this is a good time to dive back in.
Cookie Inventory
Next, and probably the most misleading name and task of them all, The Cookie Inventory. No, I don’t mean the delicious kind with chocolate morsels that are slightly melted right out of the oven that require some of the strongest willpower known to humankind to resist. Seriously, lock these things up if I’m in the room.
I mean the cookies (first and third party) and trackers on your website pages. Do you know which ones are present and what purpose they serve? Scanning solutions can be deployed remotely and research can be done on the site with native applications like Chrome’s developer tools and other plug-ins like Live Cookies and Ghostery. Keep in mind that cookies and trackers you find on your homepage may not be the end-all-be-all of the discovery. The cookies and trackers can differ based on sub pages and even how consumers are interacting with your webforms. Did a consumer just click on a text form? There is probably a cookie for that.
Cookie and tracker inventories are important for several reasons. Consent under GDPR, the sale of data under CCPA, the statements and accuracy of said statements the business has made in the privacy and/or cookie policy – all of these are driven by maintaining an accurate cookie and tracker inventory. If you have one, think about the last time you reviewed it and the last time you discussed it with your Digital Marketing team. If it’s been awhile, it’s time to revisit.
Privacy Policy
I’ve mentioned the next task in passing in the first few paragraphs, and there is a reason for that. It’s driven from these tasks. The often mentioned, but seldom reviewed, privacy policy and employee notice. The window to your business’ privacy soul and the first thing an opportunistic professional plaintiff or consumer will review to determine if your business is an easy target. Personal data collected and processed by businesses changes all the time. New marketing initiatives, websites, partners, and systems arise all of the time. It’s time to dust off the privacy policy and make sure that it accurately reflects your data processing activities and includes a myriad of notice requirements the privacy regulations require.
Consumer Access Request Process
While important to the privacy program, the first few tasks I’ve reviewed can be seen as dry, and if you’re looking for something more interesting and interactive, you are in luck. Next is testing or designing your consumer access request processes and procedures. Designing the request procedures can be accomplished through remote screen shares with system and application owners to determine how to honor the various privacy rights including deletion and access. SaaS based applications have already thought of this and have some instructions. However, think about homegrown systems or systems that may have a lower privacy maturity rating. How will your business honor these rights and prove that it did so? Who will be assigned? How will the business track it? How will the business establish a defendable position and be prepared for AG or regulator inquiry? These things can be answered by designing not only the technical procedures for honoring the requests, but also by implementing an overall internal or external solution to assist with demonstration of compliance.
If you’ve developed these procedures, you know it’s important to put it through its paces. Think about it as a test lap if you will. Just as Ferrari and Mercedes wouldn’t design their F1 car and throw it to the wolves at Monaco, so should you test your request procedures to ensure they are finely tuned and running as efficiently as possible. Perhaps you’ll find that the email address listed sends bounce backs or never ends up in the team’s inbox. What about the 1-800 number route? The agent likely has his or her hands full with tasks, have they been trained on how to handle and escalate privacy requests? If so, is the escalation process working? An important part of the procedures and testing should also include the verifiable request portion. How many times have we heard about a husband or wife getting access to their spouse’s data or the company just outright botching the access request and delivering the wrong individual’s personal information to the original requestor? Time to test the procedures and put the lessons learned into production.
Assessments and Audits
While there are a myriad of tasks that can be performed remotely, I’ll leave you all with one final one – remote assessments/audits. If you have prepared your business for privacy obligations, now can be a good time to have a neutral third party firm perform an audit of the program and provide recommendations surrounding deficiencies, and enough time before the CCPA enforcement date (I only use this date because I’ve seen many companies use this as their Go Live date) to update any issues. If you are reading this article and have no clue where to start, perhaps an assessment with recommendations and a roadmap to compliance is the better choice. These can assist with company direction and getting buy-in and budget for remediation. What a business needs depends on where they are in their privacy journey and program implementation.
Conclusion
People change roles, training lags, and day jobs continue. Use this time as an opportunity to ramp up reviews of your program or getting the program in order. Technology allows many of these tasks to be completed virtually including inventories, mapping, request design and tests, security audits, and assessments/audits. While facetime with team members and consultants is valuable, we have accomplished many of these projects virtually with no issue. Take a break from the news cycle and check those privacy programs and update any deficiencies found.
If you’d like more information or to discuss your organization’s privacy program, please contact us at Connect@CompliancePoint.com.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.