In May of 2020 I was honored to speak at the MERv conference with John Frost of Box on the topic of Using Information Governance with a Privacy Compliance Plan as the Fulcrum for Data Privacy and Continuous Compliance. Below are some excerpts from my transcribed remarks.
Session Description: Tackling data privacy and maintaining consumer trust is harder than ever, especially with the sheer amount of information you need to manage and with constantly evolving privacy laws (CCPA, GDPR, etc) moving the goalposts. The usual checkbox compliance, ad-hoc governance, and reactive information security policies will fail, if they haven’t already, and create too much organizational risk. To achieve a state of consistent compliance and minimize corporate risk you must provide three things to your business: transparent governance, frictionless security, and continuous validation. To provide these things, you must build a strong information governance framework and privacy compliance plan to succeed.
ON KEY PRIVACY ISSUES TODAY…
What’s important to remember here, overall, is that making your privacy plan a key component in your compliance program isn’t just helpful. These days it’s really a strategic imperative. That’s not only because it’s a hot topic or because it’s a growing regulatory requirement, but because it naturally enhances the way our organizations, and specifically our compliance and infosec groups, treat and value ALL of the data they’re responsible for testing and for securing, and in validating and protecting PII, we’re actually adding a layer of assurance that improves both internal operations and the customer experience.
Privacy makes data governance ethical and tangible, and compliance leaders understand that. Today, what we’re going to walk you through is what that awareness and proactive approach look like through the eyes of project leaders during three stages of compliance, prevention, maintenance, and retrospective.
What’s important to remember here, overall, is that making your privacy plan a key component in your compliance program isn’t just helpful. These days it’s really a strategic imperative.
I just want to point out that privacy, conceptually, is, of course, ancient really. People tend to forget that. I mean it has been written into legal codes even before the constitution as a Records and Information Governance community we’ve been dealing with it, from HIPPA to SOX, in one form or another. What’s different today at least in the business world is that the thresholds that trigger compliance these days aren’t industry-specific. Instead, they’re related to annual revenue and the number of data subjects you interact with, so that’s why we see a broader cut of industry’s being looped into these new demands of GDPR and the CCPA.
ON UNDERSTANDING TODAY’S REGULATORY COMPLEXITIES…
Privacy leaders have been asked about the volatile regulatory environment and a clear majority of privacy leaders rank keeping pace with the new regulatory landscape as a pretty important factor in their strategy…. Research also that a minority also are not confident that they have a framework for helping them adjust to that change. So, that’s what we’re aiming to address here today in terms of strengthening that IG program so that it helps buttress or even drive your privacy goals.
[Another] insight we’re sharing with you involves metrics. And we all know metrics is the heart and soul of compliance to a large degree. And we see that finding those metrics to measure their programs is somewhat lacking for the majority of those surveyed. And that results in the majority of leaders being unable to effectively report on their program outcomes.
Read More »Using Information Governance with a Privacy Compliance Plan as the Fulcrum for Data Privacy and Continuous Compliance