Changing Privacy Requirements
Five Questions Channel Program Leaders Should Be Asking
2018 has marked a major shift in the way governments, companies, and consumers view data privacy. The landmark 2016 EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018. It was quickly followed by the California Consumer Privacy Act of 2018 (CCPA) that was signed into law on June 28, 2018 and becomes effective on January 1, 2020.
GDPR-like laws are being adopted across the world from Japan to Canada, Argentina, and India. In addition to California, privacy legislation is under consideration in five other states and at the federal level.
This wave of new laws, recent high-profile privacy incidents, and increasing regulatory scrutiny are driving companies to make significant changes to their privacy policies to comply with these requirements, protect their brands, better serve and meet the expectations of their customers, and avoid the potential of significant fines. No longer can we view this as a European problem, strong privacy protections are fast becoming a global and national requirement.
Under these laws, companies that process and hold personal data—both customer and employee—are subject to an extensive set of new requirements. What makes these laws really tricky? Third parties such as partners and resellers have to abide by the same data protection rules as the parent company.
These laws are causing a major impact on the way companies collect and process personal data and driving major changes to companies’ privacy policies and practices.
Implementing a program to establish and maintain compliance with this new wave of demanding privacy laws is not a small order. Some leading companies with a large European presence embraced GDPR early and have established robust programs with input from European regulators. Many companies started later and are still working to implement a program that manages their data privacy risks and could withstand regulatory scrutiny. Despite the magnitude and high importance of channel sales to many companies, many still have work to do to address data privacy risks and requirements in their sales channels.
Preparing to address privacy requirements as robust as GDPR and the new California law can be daunting. If you’ve fallen behind, it can be challenging to know where to start. While the requirements of these laws are extensive, here are five questions to help steer your efforts.
1. Have you reviewed and updated your consent processes?
GDPR sets a high standard for consent, noting that “consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.” The intent is to offer individuals true choice and control over their personal information.
Key elements of proper consent include:
-Being clear, concise, and specific regarding the purposes for which personal data is collected
-Requiring a very clear and specific statement of consent for explicit consent
-Requiring a positive opt-in, not using pre-checked boxes
-Unbundling consent requests from other terms and conditions
-Naming your organization and any third parties who will rely on the consent
-Making it easy to subsequently withdraw consent; and
-Maintaining clear records of consent.
When your company is referring a lead to a partner, when a partner is referring a lead to your company, or when a partner is referring a lead to another partner, we want to make sure that we have made the proper notification to the customer and obtained proper consent to share and use their information. We want to make sure we have a valid legal basis for having and using their personal information.
2. Have you inventoried the personal data you have collected, where it resides, and how it is protected?
GDPR and the California law illustrate the importance of establishing a strong data governance function. Companies need to have a very clear picture of the data they are capturing, how to categorize and classify that data, how that data flows within the organization and with third parties, where that data resides, and how that data is protected.
Strong data governance is important as companies prepare to provide greater transparency to consumers, specific disclosures of the categories of personal information collected, and increased consumer information access and deletion requests. Requirements that now apply to European consumers will increasingly apply to U.S. consumers.
We typically gather a lot of personal data on customers to enable us to be more targeted in our messaging, help us to develop our relationships, and increase our chances of closing deals. That personal data is often distributed across a variety of systems such as a CRM, PRM, portal, business intelligence systems, spreadsheets, and databases. To protect our data, we need to know what we have, where it flows, and where it resides. We should also consider incorporating relevant security requirements into our partner agreements.
3. Have you established accountability for the protection of personal data?
If a significant amount of EU consumer data is processed, a Data Protection Officer (DPO) role is required under GDPR. The DPO has specific responsibilities under the law including monitoring the company’s privacy compliance efforts and coordinating with regulators.
In any case, a DPO or equivalent role can be helpful in driving action and accountability. The DPO brings together business and technology stakeholders and helps “set the tone” around data protection and its importance to the business. The role is as much about instilling a new culture as it is about enacting and upholding new processes.
As we rapidly enter this new world of global and national privacy laws, we should take a hard look at how we manage our privacy program. A legal-driven approach with limited involvement from IT and the business will no longer work. To succeed, your business needs strong collaboration across legal, security, engineering, product management, and marketing to determine a vision for your data practices. As a team you’ll need to choose the best plan of approach for what personal data you’ll need to keep or collect, should delete, and whether you want to take a global or regional approach to privacy.
4. Are you prepared to handle customers’ data subject access and deletion requests?
Under GDPR and the California law, individuals have the right to access the personal data that has been collected on them in a portable format. Individuals also have the right to request the deletion of their personal information, though there are various scenarios where the business is entitled to retain such information. There has already been a sharp rise in data subject access requests since the GDPR went into effect. As consumers take an increasing interest in their privacy rights, companies may need to accommodate a substantial number of these requests. Regulatory authorities have also seen a significant rise in the number of consumer complaints received post-GDPR, with much of that due to incomplete responses to data subject access requests.
Gathering all of a consumer’s personal information in response to a request can be a challenging process depending on the nature of the business and its supporting systems. Manual processes will not be sustainable in most cases. Considerable engineering effort may be required to build a substantially automated solution in many cases. Businesses will also need to ensure they have a solid process for verifying (authenticating) consumer requests.
Data deletion is usually a very complex matter for a company as an individual consumer’s data is often spread across multiple systems, perhaps multiple vendors, multiple databases, system logs, backup systems, and backup media with differing retention periods. Determining which data must be deleted and which data must be retained requires careful planning and strong data governance. Companies must think through their operational procedures for handling requests.
5. Have you considered the 72 hour breach notification requirement and refined your incident handling procedures?
A personal data breach is defined broadly under GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Companies must report a personal data breach to their supervisory authority within 72 hours. Where that is not feasible, the delay must be explained and required information must be provided “without undue delay.” Impacted individuals must also be notified “without undue delay.”
Companies must have clear incident handling processes to effectively identify, contain and respond to potential breaches. If a breach occurs, you need to have a defined process that you can immediately follow including clear procedures, escalation protocols, communication protocols, and involvement of legal counsel and other stakeholders. The combined pressures of rapid incident resolution and regulatory reporting leave little room for error.
Of course, we want to be very precise when interacting with our regulators in an incident/breach situation. Poor handling of an incident can have disastrous financial and legal consequences. In situations like this, you will need to involve legal counsel and communications in preparing such communications. That leaves almost no time to think through an incident response process on the fly, let alone identify and contain the actual issue.
It should also be noted that GDPR and the California law both emphasize the proper use of encryption and de-identification as strong mechanisms to mitigate the impact of a breach. Personal data should be deleted if there is no business need for it, and encrypted or anonymized when retained.
It’s time to act.
GDPR has now been in effect since May. Countries across the world from Japan to India are adopting GDPR-like laws. California has passed a strict new privacy law and other states are soon to follow suit. Regulators are increasingly scrutinizing companies’ privacy practices and consumers are becoming more aware of their rights. Many companies are still digesting and operationalizing the requirements of GDPR and have not yet started planning for the impact of these new laws in a meaningful way, though European regulators are actively conducting investigations. Many have not yet applied these new requirements to their channel systems and processes.
These laws raise the bar for how companies and their partners handle personal data. They represent a challenging adjustment for companies that sell and market through the channel, as every additional partner adds risk. Now is the time to take a fresh look at your privacy policies and practices to address the growing wave of regulatory requirements, rising consumer and business expectations for data protection, and how we apply the relevant requirements to our channel ecosystems.
Recognizing the challenges that companies with channel programs are experiencing, Allbound is developing a Channel Compliance Framework. The framework is a combination of technology, services, and good operational and legal practices addressing topics including partner management, customer data management, integrated consent management, data protection, audit and compliance, and legal practices. Stay tuned for more information on our framework.