Why “Compliance” is not enough to succeed in Data Privacy

Ready or not, here comes the full force of many Data Privacy and data protection regulations in 2023! 2023 will be a busy year for organizations around the world that are contending with the full force of laws going into effect that have been passed over the last two years, including January 1, 2023, the California Privacy Rights Act (CPRA) and Virginia's Consumer Data Protection Act (CDPA), July 1, 2023, Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA), May 2, 2023, the EU Digital Markets Act (DMA), December 31, 2023, Utah Consumer Privacy Act (UCPA). The wait is over, and now is the time to get organizations into the habit of being in a position to more easily manage their compliance obligations. As organization rush to get “compliant”, there is a whole spectrum of things that organizations need to do that fall outside of the scope of compliance.

Laws and regulations move very slowly compared to technology. Often laws and regulations are passed as a reaction to some harm that has occurred in the past. At a bare minimum, organizations need to be compliant with the laws and regulations, but the current and future state of how data is handled cannot simply be addressed by having blinders on and assuming that being compliant is the finish line for Data Privacy.

Here are three areas beyond compliance that can derail your Data Privacy progress:

Operational Ability

Although “strategy” is all the rage in organizations, the truth is that organizations mostly fail with Data Privacy on their inability to successfully operationalize their data management practices. When your talk (what you say you do) does not match your walk (what happens with data in your organization), you will end up in hot water that no amount of compliance can overcome. Organizations need to get real and look at their operations and make sure they align with what they say they do. Organizations must get operational, not aspirational, about managing Data Privacy.

Trust and Third Parties

Most any organization has to share data at some point with third parties. Although we are seeing more regulations creating more compliance obligations for organizations in how they pass data to third parties, we also see significant business-to-business pressure for organizations to make Data Privacy a priority. It is significant to note that many of the forces that organizations are feeling about getting their data houses in order are not just compliance with regulations or the fear of fines but obligations that are now being written into data handling contracts. This contractual pressure creates a new incentive for organizations to take Data Privacy more seriously in ways that are hard to achieve with fear of compliance or fines alone. For example, a third-party organization may be required by contract to align with regulations that they would not have otherwise been subject to comply with at all. These business-to-business forces will continue to grow stronger as we see more organizations get more selective and picky about the data handling of third parties.

Reputational Harm

No amount of compliance is going to save companies whose data handling missteps cause reputational harm.

At the “Privacy Matters” Conference hosted by Ketch in NYC in 2022, Lou Paskalis, one of the most notable advertising executives in the US, made one of the most memorable statements and apt analogies about trust that applies to Data Privacy:

“Trust comes in on foot but leaves on horseback. “

The harm created when trust is broken by poor data handling practices may not be enough to earn the attention of a regulator but may be significant enough to cause your customers and business partners to head for the exits. As Data Privacy becomes a key differentiator, the minimum of being compliant will not be enough to win and maintain trust.

It is important that organizations not only become and stay compliant with a raft of regulations, but they need to do much more than adhere to compliance to make Data Privacy a business advantage.

Previous
Previous

Maximizing Data Privacy for Organizations in the Generative AI Era

Next
Next

Three “Hard Truths” that will Greatly Reduce Organizations' Data Privacy Risks