Overcoming Today’s Biggest Privacy Challenges
Transcript
Matt Dumiak: Hi everyone, thanks for joining today’s webinar. My name is Matt Dumiak and I oversee the privacy practice here at CompliancePoint.
We hope that everyone is having a great holiday season. We know that everyone is busy between family obligations as well as trying to close out the year in strong order, so we really appreciate you taking some time to join us for this session.
While we were brainstorming webinar topics, this overall theme continued to come up. The challenges and solutions we’re about to review and discuss are based on questions, challenges and pain points that come up all the time with our clients during the assessment phase as well as when we are helping them implement and manage their privacy program.
Just a couple of things from a housekeeping perspective, we will be making this presentation available following this broadcast and also we do have a Q&A session, so please feel free to submit questions through the chat function and we will, if it makes sense, try to get to those through as we’re going through this webinar. If not, we’ll handle it at the end during the Q&A session, but please feel free to be interactive, submit those questions and we’ll handle those as they come in.
So let’s move over to the agenda. So we’ll go over some quick intros and spend a minute on who CompliancePoint is before getting into the material. During this webinar, we’ll be highlighting the most common challenges we see organizations face and then walking through a high level. What is the requirement? What is the challenge? Not going to spend a lot of time on the challenge, I think we all know what those are probably, and then really where the meat of the content is going to be is really talking through how we recommend overcoming those challenges.
So moving to introductions, my name is Matt Dumiak, I’m the Director of Privacy Services here at CompliancePoint. I’ve been with the organization for 14 years, been working with clients and managing risk for that long, so it’s been a great ride, but really I think everyone’s heard enough of my voice, I’ll pass it to my colleague Mackenzie to give a quick overview of her background and experience. So Mackenzie, thanks for joining us.
Mackenzie Atuan: Hi everyone, my name is Mackenzie Atuan, I’m a Senior Consultant here at CompliancePoint. I’ve been with the company for about eight years with close to six of those focused on data privacy, just working with clients in this space, helping develop and manage their programs.
Matt Dumiak: Well good, well moving to CompliancePoint’s background, again I promise we’ll keep this quick, that’s not why you all are here, but at our core we help our clients understand, mitigate, and manage risk in the market. This is accomplished through a consultative approach and understanding of the regulatory space and the markets in which our clients operate. We do not take a one-size-fits-all approach and base our recommendations on our clients’ data processing activities, risk exposure and where they sit really in that life cycle, if it’s a controller, processor, one or both depending on the context of processing, as we can all imagine those vary.
We offer risk assessments, consulting, implementation of processes, procedures, and policies, manage services surrounding various regulatory obligations and also consult on a variety of information security frameworks and we’ve been doing this since 2004.
So if we could move to the next slide and just talk about our services at a very high level, obviously why we’re here today is to talk about data privacy, but we also offer services around ISO, the payment card industry standards, HIPAA, healthcare, if you all operate in that space, if any of you do, high trust is a major component of one of those offerings, but also marketing compliance with the Telephone Consumer Protection Act as well as mobile texting obligations and email and things like that too.
So if you have any additional questions about any of this, check out our website at CompliancePoint.com. So as promised, I kept that at a fairly high level, so I think we can go over to the next slide to really get into the content.
So how did we get here?
I think it’s important to do a little bit of table setting. It’s pretty easy to look at this map and see what a patchwork it is in the US, but also how the regulatory environment has also been evolving in the EU and in the UK. But in the US, we do have a patchwork of states.
It’s been a really successful year in terms of legislation for state data privacy. There have been in 2023, 10 signed comprehensive privacy laws, so that number really exploded this year. Not only that, but also five states went into effect in 2023. So as you all know, California has been there for a long time, what feels like a long time at this point at least. Other states have also gone into effect. So now at this point, organizations are really starting to need to have a program and manage risk around these privacy laws as they actually go into effect. And then not to forget, not every state’s legislative session has ended. So there are still eight proposed privacy bills. They’re active. We’ll see whether or not those pass, but that is something to keep an eye on.
So as you all can imagine, when we have all these state requirements, that can create some complexity. But then also in the EU and in the UK, like we’ve talked about, there have been amendments to the UK GDPR and there have been some changes to some GDPR requirements as well at a high level.
So let’s talk about on the next slide, the top five challenges we’re seeing. And I think this is a great point to remind the attendees that if you look at these challenges, you have any questions specifically about them, please put that in the chat.
So the top five challenges we’re seeing are the conducting and managing data protection impact assessments or DPIAs, international data transfers, everyone’s favorite topic if you have GDPR obligations, notice obligations. So when you think through the privacy policy, but it goes even beyond that as we’ll review, the right to opt out and kind of the various rights that are starting to come under that at the state and the on the EU side as well. And then AI governance, I think we’d be remiss not to kind of talk about what’s going on right now in the AI space and how organizations can kind of get their hands around what that looks like to govern that and deploy it responsibly.
All right, so the number one challenge we’re going to discuss today and all of these, you know, in our opinion, these are kind of ranked at how challenging they can be to solve for. But you all might have some various opinions about that. Maybe some of you find DPIAs fairly easy. Maybe you’re working your way through it and you find something like notice obligations a little more stringent to get through. But we’ll kind of handle those as we go through.
So this map, I think, illustrates from a federal or from a state level what we’re dealing with when it comes to data protection impact assessments or DPIAs. We talked about how 10 states have signed laws this year. Five are in effect. So you can see that the number there is rapidly increasing. But what you can also see with the DPIA requirement is that the majority of states are going to require an organization to conduct DPIAs. And so we’ll talk about when they’re required, what they must contain at a very high level just so we can kind of set the stage.
But I think this map illustrates that the DPIAs are a pretty critical topic for the regulators. They see that there’s a lot of value for organizations to think carefully about the processing activities they’re undertaking. And just to highlight here that Utah and Iowa are the only states that do not today have a data protection impact assessment requirement.
They may also call these risk assessments in some capacity, but we’ll call them DPIAs to be consistent.
So when we talk about when a DPIA is required, it’s probably more often than you would think. And so just really quickly with GDPR, and it’s the last bullet there at the end, this has been in place for a long time, or what, again, feels like a long time since 2018. Data protection impact assessment would be conducted or would need to be triggered and conducted prior to processing where high risk to the rights and freedoms of natural persons is occurring. They provide some great examples through the recitals as well as through regulatory guidance about when to do a DPIA and what it must include. Again, that’s been in effect or been required since 2018.
So we’ll kind of focus on the state side a little bit. The majority of the states are going to use the terms either significant or heightened risk to consumers, privacy, or security. And so you can see already that the DPIA is going to require or going to have both a privacy and a security component to you, to it with the triggers. This is where I think some of the challenge comes because these are really broad triggers. And these are typically every organization is doing one thing or another under this list here, but selling or sharing of personal information.
I think the major one is targeted advertising. Obviously, if you have a website, an organization is likely doing targeted advertising. The processing of sensitive personal information, automated decision making, which we’ll get into, but that could be even broadly interpreted.
And then processing minors and employees’ data. That would be obviously where employee data is within scope of that law.
I think some other key components to talk about with the DPIA is that these are due upon request to the regulator. So these are not something that typically take a day or two to complete. So this is not something that we would recommend holding off until you get a request. This is something you certainly want to get in front of as an organization to make sure that the records and the DPIA is completed, accurate, that all of those things are there so that it’s ready to go should a regulator request it.
And then just to talk a little bit about the draft requirements from the CPPA. Again, draft, but there are some requirements there that may include that you upload an abridged version of the DPIA to the regulator every year. We’ll see how they go through that and what they do with that, but that’ll be really interesting to see if that goes out of the regulation draft mode, but those will be hopefully finalized here shortly.
So moving to the next slide, just talking about, we talked about what the triggers are for a DPIA. Talking about the potential harms is also extremely critical. These are outlined in some of the various laws and regulations, and I think it really just speaks to how broadly the regulators are expecting organizations to think about the risks and potential harms to consumers from the processing of their personal information. They give some examples or they outline this in their law, constitutional harms, discrimination, financial injury, privacy harms, psychological harm. And so I think it just speaks to how broadly they’re going to interpret this and what they’re expecting from organizations.
They also want you to consider what the nature of the risks are, what the source of the risks are, and then all of that detail will filter down into that DPIA. And so also speaks to the need, and we’ll talk about this a little bit with the solution, but when you look at all of these various requirements and potential harms that they outline, it speaks to the need to speak to individuals who have different skill sets and potentially different departments within the organization to get different perspectives about how that processing activity may impact the consumer. I think it’s just really critical not to be in a silo from a privacy perspective and just think that we know it all. The talk to the various business folks to understand the potential harms to consumers.
So let’s talk a little bit about the challenge. I think that segues nicely if we go to the next slide on that. So there are numerous challenges when it comes to completing a DPIA. You have potentially, we talked about it, there are very broad triggers and they go beyond that as well. We look at these laws, so take a look at that, but there could be this challenge to have the information complete. It’s insufficient information, trying to get that from the business, trying to find individuals who even know what the processing activity will be. It could be in flux. It might be hypothetical situations that could lead to an incomplete DPIA or even a challenge of not having either correct information or appropriate information that, again, as a reminder, these things would need to be submitted to the regulator, so ensuring that that information is correct.
So insufficient information, I think a lack of support is common. These are typically a cross-functional exercise and they do take time, as we’ve talked about. And so a lack of support to get them done and get them across the finish line.
And then making a business decision, if you go through the DPIA and all of a sudden you find that it’s too risky, so that processing activity is too risky, now what do we do? And trying to figure that out as an organization, I think that could be a culture change for some organizations to make sure that they understand that they may not be able to use a vendor or do a specific processing activity or something like that.
So then when we move to how to overcome this challenge, first and foremost, we need to understand that this is not something that can typically be accomplished by one person. This is certainly a multidisciplinary approach. You’ve got legal obligations and items that you need to have in the DPIA. There’s technology involved, not only technology information, we should say. I mean, certainly you could use technology to complete a DPIA and engage that group if you need assistance in that regard, but also the technical systems, security, all of those kinds of components that you need to include in the DPIA are typically going to come from a different team.
And then of course the process and operation of a DPIA. So how do you get this across the finish line and beyond? I think a question we hear oftentimes is, okay, we’ve done a DPIA or we’re completing it, what now? So that is where I think that cross-functional exercise really comes into play and that multidisciplinary approach having that different level of it, those different expertise come in and advise and ensure that the DPIA can meet all the requirements, but then also can continue moving and move forth through the process to ensure that it’s a meaningful DPIA, that it understands the risk to the consumers, it identifies them, it mitigates them where possible, and it documents how you as an organization either have accepted risk or what the risk treatment plan is and all of those kinds of things that need to be included in that DPIA.
So moving to the next slide, a little more detail here and what we’d recommend doing, but I think while it might be straightforward to say, hey, the first thing to do is get a template in place, that may not be the right approach. I think the first thing to do is recognize and define what the end game is. Obviously, this is a regulatory requirement. We certainly want to comply with the law as an organization and most organizations would.
That’s going to be a leading indicator here driving the DPIA, but also there might be some other items or some things driving the DPIA. It could be that you need to do it for business engagement or the market is asking for it or potential clients are asking for it. Of course at that point too, you want to talk through what does that look like? Can we ensure that we make this a publicly facing document and we have an internal facing document that we would give to regulators upon request, but really understanding and defining what is the goal? What is going to be successful with these DPIAs?
Again, understanding that the privacy laws do have the obligations, but there might be a broader approach there that as an organization you would think through. So what and why? So educating is really critical. We talked about the multidisciplinary approach. Everyone has a day job. We find that giving individuals background and context about what a DPIA is goes a long way. Gets them and set expectations about what we need from them. They typically, you know, everybody wants to be helpful and volunteer, but again, like we said, everyone’s busy.
So I think educating, why does it matter, what are the benefits to the organization, what does it mean for them? All of those kinds of things are great. Posing up to the business.
I know this sounds pretty straightforward, but identifying allies within the organization and leveraging some of that political capital, key word there, some. Don’t blow it all on it, but you know, just leveraging some of that political capital to, if you need some support from your IT director or the CTO even in terms of trying to get these DPIAs completed and across the finish line, that’s the way to go.
And then just even committee conversations, creating that to have those conversations and make sure that things are, that everyone’s aware of what’s going on. Accountability is critical and I think we see this a lot in the consulting space. So certainly I would like to say that we understand that from an accountability perspective, we have the benefit of being an outside third party, unbiased third party that comes in and really some of the value we add is establishing accountability.
We’re an outside vendor, an organization has brought us in. We see that, but really where we see organizations are successful with DPIAs is when they assign accountability, or define accountability and assign responsibility and then move the project clearly through the deadlines and the responses, who’s owning what, what the feedback is.
And then towards that feedback thing, the goal there is why does it matter? Recognize the team effort. It’s a living document, set that expectation, lessons learned from the DPIA, how did it benefit the business?
How did you move forward with the processing activity as a privacy team or beyond? All of those things, it’s kind of like that 360 feedback loop from an HR perspective. It’s really helpful to see that, hey, you’ve put some, you know, a business unit or individuals put work into it. What’s the outcome and seeing the value in that?
And then moving to the next slide, DPIA 101. Would just like to point these out because I think we just didn’t want to like blow right over it, but don’t overthink the obvious. Engage the PMO team, the project management office. They typically have experience across the various business units. They’re very skilled at getting things progressed and through the, into the finish line.
Another item we find very helpful is establishing a threshold analysis. You don’t, you can help avoid false starts. DPIA, as we’ve outlined, is a lot of work. We get that. If there’s some type of shortened analysis or assessment that an organization can conduct to see and determine if a DPIA is even necessary based off those triggers that we’ve talked about, that can be a shorter timeframe and something that can ease the burden on the business in terms of doing DPIAs all the time, because that’s something oftentimes we hear when we come in is, hey, we’re doing DPIAs all the time. It’s basically becoming our full-time job.
We’re really going to look at the core of that and say, okay, are we doing DPIAs when they’re necessary and figure that out first. And oftentimes we see that we can reduce the burden based on that. Even providing, you know, when we do feel like a DPIA is required, operating from a template eventually is really, you know, after you’ve kind of, after we’ve gone through those education and success, operating from that template is really helpful, but then also providing examples of risks and controls.
And then ultimately we do feel that and recommend that the final sign-off is going to be from the data privacy and legal team to understand and make sure that we’re clearly and accurately describing the risks and going from there with our DPIA.
So moving from there, I think we’re going to go to our next challenge, which is international data transfers. So Mackenzie, I’ll pass it to you and we’ll go from there.
Mackenzie Atuan: Thanks, Matt.
So data transfers, I think is a big area that a lot of our clients struggle with. It’s a fairly difficult exercise to undergo. So we’ll go through the same format, giving a high-level overview of what the requirement is. So I’m not going to provide like the formal definition of a data transfer or anything like that.
What we’re going to focus on are what your options are to transfer personal data from the EU to a third country. So the two most common options that we see clients rely on and that we’ll talk about in more detail in the upcoming slides would be the adequacy decisions and the standard contractual clauses.
The adequacy decisions are those countries that the European Commission has deemed that they have sufficient privacy laws in place to protect EU personal data kind of to the same level as the GDPR. Most recently for the US that it does include the new EU-US data privacy framework self-certification.
And then the other option that we see most clients use would be the standard contractual clause route. Those are those agreement updates typically added to like a data protection addendum that does now also require a data transfer impact assessment, which is I would say one of the biggest challenges when it comes to data transfer. So that is something else that we’ll get into.
The less common options that we see but we didn’t want to breeze over them would be codes of conduct are one method that you can use to transfer data. Those we kind of see as in progress still though. There’s only been one approved for the EU cloud code of conduct. So it’s not really something that can be relied on for the majority of your transfers.
The next would be binding corporate rules. Those are really designed for multinational companies to transfer data between their affiliates. It’s a very lengthy process to develop and implement and it does require approval from the supervisory authority. This exercise can take as little as 18 months and most likely beyond that. So again, not something we typically see our clients relying on.
And then the last option would be those derogations. That’s things like consent or transferring data for a contract. Those are really only supposed to be used for one-off transfers, not really something that you should rely on for frequent or ongoing transfers.
So talking through the common challenges that we see our clients face when it comes to the data transfer exercise. The first one would be just identifying the transfers. I think it sounds like a simple exercise, but in reality, it requires an extensive review of all of your organization’s processing activities. So if you don’t have an inventory available or data maps available or a lot of support from your other teams, this is going to be very difficult to tackle. And it’s really the first step in this process.
The next challenge that we see clients face would be just if they are relying on standard contractual clauses or SECs is the act of actually making the updates. Those were updated back in 2021. So even if you were relying on the historic or the other version of the SECs, we now have to go back and update every single agreement where we’re relying on those SECs. So it’s really just a tedious exercise.
We are seeing, not too frequently, but we are seeing more and more vendors push their own template data protection addendums or DPAs with the standard contractual clauses included, which I think is a good thing and a bad thing, right? It’s a good thing because it’s kind of already taken care of. It’s a bad thing though, because we still want to check to make sure that they actually include A, the updated SECs and then B, all of the terms that your business requires for your transfer purposes.
And then lastly, those SECs now do require the data transfer impact assessment. We’ll focus on that. Like I said, that’s a fairly difficult exercise, which brings us to the third challenge that we’re seeing around this would be the act of actually conducting, we’re calling them DTIAs.
So while this is a requirement, there’s not a ton of guidance or standard template or format or anything on how a DTIA should be completed. It’s a fairly subjective exercise. It also requires extensive review of the importing country or where you’re sending the data to their local surveillance laws or like government access laws. That’s not something that a typical privacy officer or internal legal team will have knowledge in or be able to understand. That requires really a review of every single individual country’s surveillance laws. So that is something that we typically see clients needing additional support, additional budget for outside counsel to help review those countries’ laws.
And then lastly, it also requires input from vendors, which is not always the easiest to get, especially if they’re a legacy vendor that you’ve already had. It can be difficult exercise to get input from them for you to be able to complete these DTIAs.
And then last one, I think is the biggest one. It’s just general legal uncertainty around data transfers. I think it’s been all over the place, right? We have had methods that we can rely on to transfer data.
Shrems comes along. Maybe they become invalidated. Then we have another kind of same thing happens. They get invalidated. So I feel like it’s a little bit of a roller coaster recently.
And even from defining what a data transfer is, under the GDPR, which became effective in 2018, we had this broad data transfer mechanism requirement, but there wasn’t really a formal definition available as to what constituted a data transfer. It wasn’t until 2021 that we got that definition through the EDPV guidance. So I think even that is a sense of frustration that we’ve seen as clients are required to comply with something that hadn’t been formally defined. So to kind of go through each of these and talk about how to solve for data transfers, what we’ll do is kind of walk through our process of identifying the transfers, determining what transfer mechanism is best to rely on. And then we’ll get into the DTIAs and then also the data privacy framework later on.
So first step, right, is identifying the transfers. We talked about how difficult that can be. It can be simplified or at least made a little bit easier. You’ll have a little bit of a head start if you do have existing documentation that you can leverage.
Data inventories, data maps, your records of processing, and maybe even your privacy notice will have a good start, I think, for you to start identifying where you’re transferring data, who you’re transferring it to, where they’re located.
You’re going to have a lot, I think, in today’s world, like most of our clients, they have a lot of vendors, right? And while vendors aren’t the only place that you might be transferring data, I think that’s the most common one and the easiest one to use as a use case for the purpose of this. But there’s a lot. So it’s really difficult to identify all of those and then think through, oh gosh, now I have to do a DTIA or identify what transfer mechanism I’m going to rely on for all of these. So just prioritize them.
I mean, start with your key ones that are important to the business. I would say those that help keep the business functioning and those where you’re transferring either a large amount of personal data or a large amount of sensitive personal data. So examples would be like your CRMs, ERPs, HRS, if you’re transferring employee data. Focus on those first before you move into those vendors that may process either data more infrequently or they just process kind of in general, like less risky personal data.
And then also work to identify your stakeholders. Even if you have extensive inventories, records of processing, things like that, you’re still going to need additional information, whether that’s from your internal stakeholder or by getting them to assist you with getting information from the vendor. I think it’s key to just give them a heads up that that might be coming.
And then from there, once you’ve identified your transfers, work to determine what mechanism is best for you. Keep in mind that it’s not necessarily like a one-size-fits-all. You may be relying on adequacy in some places and then have to implement standard contractual clauses in others.
So once you identify your transfers, I would say start with adequacy. See if there’s any that you could just check off the list really quick if you’re transferring it to a country that has an adequacy decision. That’s the easiest way to go.
And then from there, move on and determine if you are going to self-certify under the data privacy framework or rely on standard contractual clauses. With the data privacy framework, I think that if you haven’t started your data transfer exercise but you have a pretty mature privacy program outside of that, that might be a quick solution for you to go ahead and get something in place for compliance with the transfer requirements.
And then if you are concerned about some of the challenges that the data privacy framework is facing, you could in the meantime start working on doing your transfer impact assessments and start updating your contracts with standard contractual clauses. But at least you’re not totally out of compliance while you’re doing that.
Matt Dumiak: Yeah, Mackenzie, I think that’s a great point. I know we’re going to go just a little bit into the data privacy framework and how that could be a solution. But the fact that it’s not a check-the-box exercise and that it does need to be reviewed carefully. And I think that’s a great point to point out. And it could be a good two-pronged approach of we have the data privacy framework. That’s potentially an option specifically if we have a more mature program and if we were certified under Privacy Shield potentially.
And then as well considering those SECs and doing those DTIAs in the background as well with that. I think that’s just a great point to highlight there. I just wanted to call that out.
Mackenzie Atuan: So moving on to the DTIAs or the data transfer impact assessments. So like I mentioned earlier, subjective exercise, there’s not really a set template out there that we can use. So what we have found to be the most streamlined and productive way to complete these DTIAs with our clients is to create a risk-based approach. Maybe even leverage your same kind of format that you use for your DTIA if you have that in place. But think about assigning risk scores to the different types of data you’re transferring if it’s anonymous data, probably low to none, right?
If it’s health data, high risk, if it’s contact information, maybe a little bit lower risk. So kind of think through those things based on the types of information you’re typically transferring.
Also go ahead and try and get ahead of it with think of some common risks that you could see or thinking about where are the riskier countries that we’re transferring data from and assign them a risk score as well. I think overall that’ll kind of help set the logic for your DTIA process and also kind of serve as something to fall back on if you’ve got that logic documented and outlined and you’re questioned about why you did or didn’t implement safeguards, you can rely on that as your thought process.
And then next would be leveraging outside counsel, getting budget for that because it’s a really difficult exercise to try and think of all of these very unique and not necessarily privacy specific laws that might impact the rights and freedoms of individuals where you’re transferring the data. So that’s likely going to require outside counsel to assist with that.
And then kind of thinking through are there any safeguards that we could go ahead and say would be acceptable for our type of business and the types of data that we’re processing that if we do need to implement anything additional, we kind of have those at the ready, right? So things like encryption, access control, thinking through if there’s a way to even transfer less data. So think through those ahead of time and then it’s almost like an easy reference guide, right?
And then lastly, go ahead and if you have a vendor onboarding questionnaire, think through if there’s anything in your DTIA where you might need input from the vendor, go ahead and include that in that vendor onboarding questionnaire because then you don’t have to go back to the vendor two, three, four times with those questions, it’s already completed.
Questions we typically recommend or see our clients include would be things around if the vendors received any government access requests in the past, if they have policies and procedures to manage those types of things, those all could either increase or help reduce the risk of the overall transfer.
And then from there, going through the steps to actually update your vendor agreements where you are relying on those SECs. So first up, develop a standard data protection addendum. This is something we see a lot of clients also leverage outside counsel for is getting a template that is that’ll make the process a lot easier when you’re trying to work through the contract negotiation phase of things and even going through to vendors that you’re currently engaged with and updating agreements you already have in place.
Determining if your vendors have their own DPA. I think this is becoming more common, still more so seen with those larger vendors out there like the Microsofts of the world. They are going to provide their DPA as a vendor to you. They are not going to review and agree to all of their customers’ custom DPAs, right? So a lot of vendors will have their own DPA that we would still recommend reviewing, making sure that it does meet the provisions that you need it to meet, especially as we move through in the future and we start seeing more laws passed which might require additional disclosures.
And then lastly, I think this is an easy step to skip, but make sure the DPA is actually in place. Make sure you’ve got those SECs in place, that those are signed and that that’s engaged because I think that’s an easy step to skip, especially when you’re going through this exercise and reviewing all of your vendor agreements at once.
Matt Dumiak: Yeah, Mackenzie, that’s a great point to call out that when that’s often a finding when we’re working with clients and looking for these agreements that either they don’t exist or they’re not executed. So great point there.
And then I think, you know, you talked about it a little bit, but another recommendation for these DTIA and SECs, fairly straightforward, but just organizations should give themselves a lot of runway. To your point, they do take a good bit of time up to and including even if you’re working with outside counsel in Europe, they may need their counterparts in the US to assist with the local laws. And so it’s a lot of it’s a good bit of back and forth. So giving yourself playing a runway, I think is pretty critical to, again, not something that typically we see done in in a few weeks.
Mackenzie Atuan: Especially if this is your first time going through it.
So then moving on to the data privacy framework and overcoming that, like Matt mentioned earlier, it’s not a check the box exercise. It does require review. I mean, it’s something that you’re certifying that you’re able to comply with and you’re putting that out there for the public to see.
So kind of a five-step approach here. First would be make sure you have budget and support to self certify. I guess the certification alone requires a monetary fee. It’s not that high, but it does require a fee. But also, if you don’t have all of the policies or procedures or technologies that you need in place to self certify and to agree that you can meet those principles, you may need additional resources there as well.
And then do a mini-assessment. It doesn’t really have to be anything super formal, but take your current privacy program and assess it against what the DPF privacy principles and requirements are and identify any gaps in your program that would need updated before you can certify. Those would be things. It could be it could be more difficult things like maybe you don’t have a record retention in place.
That would be a fairly large exercise to undertake. It could be more simple things like you need to update your privacy notice with those new disclosures from the DPF or you need to identify and register with your independent recourse mechanism. So work through those and then work through the remediation of those as well based on the gaps that you do find. Once you feel comfortable that you can meet all of those principles, work through the actual online self-certification process and submit your fees.
But keep in mind that that’s not like a one and done situation. You will have to continue to recertify on an annual basis moving forward. So make sure that you work that into your program, like your privacy program management schedule because if you do have a lot of changes in your program in the future, it may require another quick assessment or some remediation before you can self-certify and kind of state again that you’re able to meet those requirements there.
And so moving on to the next challenge that we see clients struggle with would be notice obligations or your privacy policy. At a high level, we’ve kind of consolidated the common disclosure requirements we see in privacy policies here on the diagram on the chart. Something that we really wanted to call out, though, is that these requirements are changing, especially here in the US as more states pass comprehensive privacy laws.We’re seeing more and more unique disclosure requirements.
So we have a few examples on the slide, but like Texas will require businesses to state if they sell sensitive personal information. California, you may be required to include a do not sell or share my personal information link. You may be required to include a toll-free number for consumers to submit requests to a new right that we’re seeing is the right to appeal.
If your request is denied, you have to provide instructions on how consumers can submit an appeal and then the EU has fairly different disclosure requirements than what we’re seeing here in the US on things like data transfers, data protection officers, things like that.
So know that the disclosure requirements are continuing to expand and change. So if we go to the next slide, we can start talking about the challenges.
So the most common challenges that we see clients face when it comes to the privacy notice to start just understanding what your data processing activities are. If you aren’t aware of what types of data you’re collecting, how you’re using it and who you’re sharing it with, you won’t be able to create an accurate notice.
Next up would be, I think it’s pretty easy to create a very lengthy and long privacy notice that’s full of a lot of legalese that your average consumer wouldn’t to understand. So making sure that it’s easy to understand but still meeting your obligations for disclosures is fairly difficult.
Third would be making sure you have consistent versioning across all collection points. And what we mean by that is making sure that you’ve accounted for all areas where you might collect personal data. So if you kind of think through that, at first you just think, oh, the website, right?
But then you think, okay, well, we also have a career site. So we need disclosures in the recruitment context that we’re recruiting in California. We also have a mobile app. We need a privacy policy there. We also have employees in California. We need an employee notice. So it can expand fairly quickly. So really making sure that the privacy policies are on all those points can be difficult.
And then next up, a lot of new state requirements, right? We just talked about a few unique areas. And then fifth would be keeping it accurate and updated. The years go by really fast now, right? So it’s really easy to forget that that’s one more policy that you need to keep updated and it is publicly facing. So it can be higher risk.
And then last would be all these new privacy laws, kind of what Matt went over in the beginning. We saw 10 pass this year or were signed this year. Who knows how many will be signed next year? So there’s more and more coming down the line, which will have disclosure requirements.
On this slide, we won’t spend a lot of time on, but we just kind of wanted to show this isn’t an exhaustive list of disclosure requirements, but we really wanted to show A, how these disclosures differ, and then B, how they can also be crosswalked to help you. So this is kind of a challenge and a solution, I would say, in one slide.
Matt Dumiak: Yeah, I like the way you put that, Mackenzie, because even though it’s not exhaustive, it still shows the complexity of the requirements.
Mackenzie Atuan: So how to overcome this. I think you’re going to be tired of hearing us talk about the inventory by the end of today, but inventory is key.
Like I said, you have to know where your personal data is, how you’re collecting it, what you’re doing with it, who you’re sharing it with, in order to provide an accurate notice to consumers and to your employees if you’re in California again. So that’s really key there.
Next up would be working to streamline the privacy policy. I think we’ve all seen those like 50 to 100 page privacy policies where it’s easy to get lost and as a privacy professional, we know what keywords to search for, but as the average consumer they probably won’t really know how to look for where the information they’re wanting is actually listed. So what we would recommend doing is try and crosswalk all of your applicable state privacy laws that are in scope for your organization, identify where the disclosures are similar, and try and make more, I guess, condensed or if they are similar privacy regulations, maybe combine those sections in one versus having an entire section for California and then an entire section for Colorado when most of the disclosures are the same. So work through those.
And then even if you’ve done that, maybe consider a layered approach, especially if you do have a lot of state privacy laws in scope for you. Think about a layered approach that would be easier for the consumer to review and read in that maybe you have a summary of the types of information you collect and then a drop down option for read more and then they can get into the specific categories and examples and things like that.
And then third would be updates. Work into your program management schedule, regular updates to review and update the privacy policies. At a minimum, we recommend an annual basis, but if there is a major change, it might require new updates to your privacy policy or say you decide to self-certify under the data privacy framework, that would be an update to the notice that would need to be done probably before your regular annual notices do.
And then fourth, consistency. So like I mentioned, the number of places that you have a privacy policy can add up really quickly. So make sure that you’ve got a way to track where privacy policies are required, what privacy policies are on those locations and when they were last updated. That’ll be really key to making sure that you maintain accurate notices both for consumers and then if regulators were to check as well.
And then the fifth thing that we recommend doing that we found really valuable is creating an audit program for the privacy notice, not necessarily auditing that the notice discloses all the disclosures required, but more so auditing to make sure that your privacy policies have been updated in those locations. So maybe randomly select a location that you’re going to check to make sure that the latest privacy policy has been posted to that site or that employee handbook or wherever it may be provided.
And then moving on to the right to opt out. This is the fourth challenge we see a lot of our clients start to face, especially as more and more different types of rights to opt out become available. So we put together this map here of the US and then the EU and UK to really show where this these rights apply. On the screen here you can see the blue states on the US map would be those states that provide consumers the right to opt out of automated decision making and or profiling, the right to opt out of the sale of their data and the right to opt out of sharing for California, the targeted advertising for the rest of those states.
Also calling out the three states that provide the right to opt out of the sale of data or targeted advertising and then the EU a little bit more unique in that they offer the right to opt out of automated decisions, but also the right to object flat out to certain processing activities.
And so Matt, I’ll pass it to you to talk through the challenges that we see clients face.
Matt Dumiak: Yeah, thanks, Mackenzie. So I think the first two are tied fairly closely together, but as you just went through Mack, the definitions do vary slightly at the state level. So they’re going to vary a little bit per state. Some will follow each other. Some will be very slightly different, including some have a very classic definition of what a sale means, where its monetary value needs to be tied to it. Others may take a broad approach of meaningful consideration as kind of a key term or a term we see commonly used.
And so even understanding or interpreting what the definitions are and tracking them and kind of tying or a nice segue there is the application of those definitions and the operational requirements to the business.
I mean, even the first privacy enforcement that was making big headlines with Sephora and that they stated in their privacy policy that they were not selling personal information. The regulators in California disagreed, right? The application of the requirements to the business, obviously there was a struggle there and completely understood.
We see a lot of organizations even today that still are having that problem of understanding where they might be selling data, where they might be sharing it, where they might be making automated decisions or profiling. Like all of those things you have to really look at through per processing activity and really review that and apply that to the business.
Another common one is managing and proving exceptions. So there are exceptions to these opt out requirements. You have to go beyond as an organization of just saying because we’re exempt, really document why you’re exempt. And then tracking proof of opt out. I think organizations are very familiar with tracking opt out more so from an email, texting or calling perspective, but tracking those opt outs if it’s a sale or a share, something like that. Just going beyond that to think through how you’re going to really memorialize that you honor that opt out.
So let’s talk a bit about overcoming the challenge in the next slide. And Mack, I think you’re going to handle a few of these and I might provide some color.
Mackenzie Atuan: So start off once again, the inventory, right? So leverage your inventory. I think this is a good resource to identify where you’re sharing data with third parties. And then from there, trying to determine if it does fall under one of these sale share profiling type activities that would be subject to the right to opt out.
Let’s say, think about this from a prioritized approach to like focus on the usual suspects where you typically see this type of sharing activity occurring, the marketing team, the website team, social media, sales, operations. That’s likely where you’ll find these types of activities.
And then look to your online and offline sharing and selling of personal data. When it comes to online sale or sharing, I think that one’s a little bit more straightforward these days. Everyone’s starting to see more and more cookie banners pop up. So leverage a cookie provider or if you have this, your organization has the skills to develop a homegrown system, but that allows consumers to manage and opt out of cookies on their own browser. Through that, it’s typically IP address that’s relied upon to track records of those opt outs. But I would say that’s a little bit more straightforward than the offline sale of personal data.
This one, work with your marketing team to identify and manage where you are selling data offline. This one’s a little bit more difficult to, I think, make sure you’re covering everywhere. So kind of think through things where maybe it’s not on your website, but it’s on where you’re creating custom audiences through Facebook, things like that, where it may still be considered a sale of personal data. So you’ll need to create a web form on the website to really streamline the management and receipt of those requests.
Matt Dumiak: And I would even add that this is one from a consulting perspective that’s difficult to templatize because different systems and applications are typically in play and those vary by organization. When we’re engaged, we have to come in and really sometimes even reset the thinking about it and say like, okay, first off, this is an offline sale. We’re taking data, we’re doing something with it that is considered that. But then looking at those existing operational steps that the organization is taking to conduct that offline sale and saying, how do we honor these requests? And it’s really kind of, there has to be an evolution in how the organization thinks about that.
So it is difficult to, we’ll admit, it’s tough to templatize or thinking through that and saying even from the, there might be a little pain in the beginning to honor it and fix the systems and applications that are involved moving forward. But if there’s a little bit of pain in the beginning, you could, you can automate it and make it easier on yourself in the long run.
Mackenzie Atuan: And then the next few areas that we’d recommend focusing on was it would be moving forward, work to design your apps and your procedures in a way that would help you honor these requests if you need to kind of think through where maybe you could collect less data or store data for a more limited amount of time so that it kind of reduces the need or the wear when you need to honor these requests.
And then kind of like Matt mentioned in the slide before, make sure you have a process to maintain records and document exemptions where you do deny requests. This could be through something simple like a spreadsheet if maybe you don’t receive a lot of requests or something more systematic like a ticketing system or a help desk system where it can log those requests for you and the actions taken there.
Overall, I would say the right to opt out is fairly difficult because the definitions do vary, but as we see more enforcement in the US and I think we will in the future, we’ll receive more guidance on how and where these requirements apply and then how the regulators are expecting businesses to honor these requests.
So then moving on to our fifth challenge, I’ll pass it back to you, Matt.
Matt Dumiak: Last but certainly not least, and I realize we do want to reserve some time for some Q&A, so we’ll go through this a little bit at a higher level than potentially planning, but again, the slides will be made available. So we’ll talk about what’s required at a high level.
Some of you may be aware of this, but there is the EU AI Act. It’s the first of its kind regulation. It’s specifically going to govern or regulate artificial intelligence use. Of course, it recognizes the benefits of AI, but it does put in, I think the interesting part is it’s going to build in some risk tiers and then beyond those risk tiers, what both users or developers and deployers of AI are going to be obligated to do up to and including even registering AI systems if you are developing them.
State privacy laws we’ll talk about as well. They’re getting their governing or regulating AI in a slightly different way. It’s not specific towards artificial intelligence, but more so the profiling and automated decisions.
And then of course, the Biden executive order. I wanted to talk a little bit about that at a high level and provide a little insight into those principles.
So moving to the next slide. What’s required at the US level? Again, Tide almost mirrors the DPIA map if you go back and look at that, but the majority of states will have some type of obligation around profiling and automated decision-making. Utah and Iowa, not so much yet, but potentially different regulation or law moving forward. So how we define and look at this in the US on the next slide is typically through profiling, which means a form of automated processing performed on personal information to evaluate, analyze or predict personal aspects.
And then to these high-risk areas, economic situation, health and personal preferences, interests, location or movements. And so that’s how they look at that. And there are some common themes there that would be triggered with profiling or automated decision making.
Transparency, so informing the consumer about it, providing the ability of the consumer to opt out, which we’ve talked a little bit about.
And of course, a DPIA requirement too. So kind of coming full circle with the first challenge that we talked about.
And then the Biden EO outlines eight guiding principles. This was released on October 30th. I would really recommend that any of you attending today take a look at that EO, executive order, if you haven’t done so already. It’s quite long, it’s quite robust, but they do outline these principles in a kind of summarized format. And we find that we really thought that it balanced the need to manage risk while not slowing down emerging technology, which I think a lot of organizations are kind of grappling with.
So what’s the challenge with AI? They could be numerous. I’m sure some of you are really scratching your head about this because of how quickly the business wants to move, which I jumped ahead a little bit to the challenge on number three there.
But first and foremost, what is it? It’s still a new concept. There are various interpretations of it. Some individuals think that an iPhone is AI. The EU AI Act has defined it. You can go look at that in the EO, in the executive order. It’s also outlined what it is.
Also treasure hunt. There’s your organization already using it. Likely are unless there’s a really stringent ban on any type of artificial intelligence and you’re mature and you in the organization has an understanding about it. Finding out where it’s in use and kind of how you can back up and put controls around it is a real challenge.
The business needs. So again, there’s pressure from leadership and other departments to use AI. And certainly number four, we don’t want to stifle innovation like it or not. AI seems to be falling into the privacy landscape of responsibilities to manage risk around. So finding that we don’t want to be a roadblock. We don’t want to stifle innovation. We certainly want it to be a benefit to the public and the business.
And so how do we balance that? So let’s talk about how we balance some of these things. First and foremost, I think don’t panic. It’s here, but I think everyone’s in the same boat. So we’re all kind of going with the speed of traffic.
Understanding where it’s being used is really critical. You might be able to find that within a data map or a data inventory. Working with the business to understand that your IT team will have a really good understanding of or likely an idea of where it could be leveraged. If not, they’re using it.
Identify a governance framework. We’ll talk a little bit more about that as a solution. You’ll see that there is a lot of available resources for AI governance out there today. Talking about this 101, but establish your approval committee if you feel like you’re behind the times and you need to get in front of this AI thing. And then implementing the program, just giving yourself a roadmap to look at. And then moving to what we wanted to include was just an example of an accountability framework that could be tied really closely to an AI governance framework. This is broken down. It’s from SIPL. It’s an accountability framework. It starts with leadership and oversight.
But as you can read through these items, I think we see that it’s really beneficial to talk through the risk assessment, the policies and procedures, being transparent around the AI, training and awareness. All of these things can roll up really nicely into an AI governance program that would reduce risk and ensure that the organization is comfortable with where they are in their use of AI.
With that, I know we’re against time and we do want to ensure that we have some time for to answer some questions.
I would just leave in summary that don’t go it alone. There are resources out there. You have resources internally likely, but also resources externally, like we’ve talked about this with this framework. It’s data privacy. People generally have an interest in it. So you probably do have some volunteers out there.
Keep it simple. Don’t overcomplicate it. Keep it simple. The simple solution is often the best solution. It makes it meaningful and it makes it reasonable to implement.
And then don’t boil the ocean. We’ve talked a lot about prioritizing based on risk from DPIAs to data transfer impact assessments to notice disclosures, things like that. These regulations and these laws understand that they recommend a risk-based approach. So recommend that you look at the criticality to the business and the risk to the business and the consumers as you’re implementing that roadmap. So I think these are just three kind of core components to remember as you’re going through your privacy journey and handling some of these challenges that we’ve discussed today.
Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.