Welcome to “The Data Privacy Advantage Newsletter” which will be a monthly resource hub of practical information, advice and content that will help organizations make Data Privacy a business advantage.
Ready or not, here comes the full force of many Data Privacy and data protection regulations in 2023! 2023 will be a busy year for organizations around the world that are contending with the full force of laws going into effect that have been passed over the last two years, including January 1, 2023, the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA), July 1, 2023, Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA), May 2, 2023, the EU Digital Markets Act (DMA), December 31, 2023, Utah Consumer Privacy Act (UCPA). The wait is over, and now is the time to get organizations into the habit of being in a position to more easily manage their compliance obligations. As organization rush to get “compliant”, there is a whole spectrum of things that organizations need to do that fall outside of the scope of compliance.
Laws and regulations move very slowly compared to technology. Often laws and regulations are passed as a reaction to some harm that has occurred in the past. At a bare minimum, organizations need to be compliant with the laws and regulations, but the current and future state of how data is handled cannot simply be addressed by having blinders on and assuming that being compliant is the finish line for Data Privacy.
Here are three areas beyond compliance that can derail your Data Privacy progress:
Operational Ability
Although “strategy” is all the rage in organizations, the truth is that organizations mostly fail with Data Privacy on their inability to successfully operationalize their data management practices. When your talk (what you say you do) does not match your walk (what happens with data in your organization), you will end up in hot water that no amount of compliance can overcome. Organizations need to get real and look at their operations and make sure they align with what they say they do. Organizations must get operational, not aspirational, about managing Data Privacy.
Trust and Third Parties
Most any organization has to share data at some point with third parties. Although we are seeing more regulations creating more compliance obligations for organizations in how they pass data to third parties, we also see significant business-to-business pressure for organizations to make Data Privacy a priority. It is significant to note that many of the forces that organizations are feeling about getting their data houses in order are not just compliance with regulations or the fear of fines but obligations that are now being written into data handling contracts. This contractual pressure creates a new incentive for organizations to take Data Privacy more seriously in ways that are hard to achieve with fear of compliance or fines alone. For example, a third-party organization may be required by contract to align with regulations that they would not have otherwise been subject to comply with at all. These business-to-business forces will continue to grow stronger as we see more organizations get more selective and picky about the data handling of third parties.
Reputational Harm
No amount of compliance is going to save companies…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
