Data privacy laws around the world are changing and the new laws have teeth. They recognize the rights of consumers to own and control their own data. And they hold enterprises unequivocally accountable for protecting personal data, thus creating a huge burden of compliance. Are you responsible for data innovations or data decisions at your company? Is your enterprise's data touched across different business units, consultants, auditors, vendors, machine learning companies, research labs, or data scientists? Or are you a consultant, researcher or a data broker working with data on-boarded from other enterprises? If so, you face a dilemma. The way forward is uncharted and there are no clear solutions. Would you take a wait and watch approach and go on with the business as usual? That road is riddled with risks ranging from huge fines to loss of reputation and the exodus of customers. Or do you envision being a thought leader and make the changes necessary to succeed and thrive in the new data privacy environment?
The first major shift in data privacy began with the GDPR, which shifted the dynamics between consumers and the businesses that collect personal data. The GDPR essentially gives consumers the power to control how their personal data is collected and used. This was a huge change. Many EU businesses lacked the necessary data management infrastructure to comply with GDPR and instead opted to close up shop. The California Consumer Privacy Act (CCPA) is right around the corner. California is the fifth largest economy in the world. If you are running a successful business anywhere in the US, you are likely doing some business in California. If this applies to your company, you will need to overhaul your entire data infrastructure before January 2020 to comply with CCPA.
The CCPA gives California residents new rights over their data, including the right of deletion of personal information, a.k.a. the right to be forgotten and the right to “opt-out” of the sale of their personal information. Both of these are extremely challenging for most businesses to implement. Let’s examine why this is so hard.
If one of your customers requests deletion of their information from your systems, your data infrastructure needs to be able to find all occurrences of their data and delete it. On the surface, this may not appear overly difficult, but let’s explore some of the complexities around this new requirement. Since I am a LinkedIn customer, LinkedIn has a lot of my private information. As a company, LinkedIn has hundreds of different teams. In addition, LinkedIn relies on a large number of data partnerships with other vendors, academic partners, consultants, and other enterprises. Each of these has its own way of working with data. Many data analytics teams download the data to their individual laptops. Many of them may have shared some of the data over cloud tools like Google Drive. My data may have been copied to thousands of locations. And no one, literally no one has any clue where or how many different places my personal information has been moved to. So how on earth would they go about deleting my information across all occurrences when I request to be forgotten? Of course, the above is only an example and LinkedIn probably has one of the better infrastructures for data privacy.
Equally challenging to businesses is the right to opt-out, which explicitly inhibits companies from sharing personal information of customers without their consent. Businesses will need to know not only where every copy of a customer’s data is, but also at a granular level what types of data it has for each customer. This is because while some customers may request that none of their personal data be shared, others may allow only specific portions of their data to be shared. For example, an email address may be shared but not phone numbers.
What about the fines? CCPA auditors can fine a company every 30 days per violation. Fines can be up to $2500 per occurrence per customer with no cap on the total amount. Hence, if in the example above there are a thousand occurrences of my data, we are talking millions of dollars in fines just because of few customers like me.
From a data management perspective, there is one unifying thread that connects all the above mentioned problems: data provisioning. Data provisioning is the ability to make data accessible, ideally in a fast, secure, reliable, scalable, and most importantly privacy-preserving manner. If you are still provisioning data the old ways or relying solely on non-disclosure agreements and contractual obligations to protect data rights and privacy, your company may be at risk for multimillion dollar fines and devastating loss of reputation. But if you are reading this, you are already starting to think about how to address the challenges and opportunities of data privacy. In fact, you may even be a thought leader in your industry.
It is no longer voluntary or left to the discretion of companies whether to protect their customers’ personal data; it’s the law. Businesses must make a choice to protect their customers’ trust. To thrive in the new environment, businesses need to become data privacy champions and embrace new technologies that enable them to automate data provisioning cycles with privacy. Alternatively, businesses that attempt to perpetuate the status quo will find that their customers will lose confidence in them and will cut ties. Over time, their internal processes and workflow will bog down and grind to a halt under the growing burden of regulatory compliance.
If you are a forward looking data professional, you understand the urgency of data privacy and are already looking for a technology solution. To learn about a new cloud-based data privacy solution that offers effortless and secure provisioning, please join us—Gamma Networks—at the Chief Analytics Officers & Influencers, Spring 2019 Conference in San Diego, May 14-16.
I'll be happy to answer any questions or concerns that you may be facing around data provisioning and data privacy. Please feel free to directly message me on LinkedIn or at firstname.lastname@example.org.