The raft of privacy laws worldwide — notably the California CPRA and EU’s GDPR — forces companies to inform users about how they collect and use personal information, and publish privacy notices on their websites.
To meet these compliance regulations, privacy officers responsible for building policies typically rely on surveys and assessments to collect insights into personal data, its purpose, usage, etc. However, these methods only provide a snapshot in time of personal data processed.
Since all companies operate in a dynamic environment — where new data is collected, processed, shared, and disposed of in a short interval of time — a static view of data is a recipe for non-compliance.
However, identifying and capturing changes in personal data use across all business units dynamically requires overcoming the following technical challenges.
Keeping Up with Dynamic Changes
New cookies pop up all the time, making them very difficult to track. Web administrators and technical marketers can deploy new code, cookies, and other tracking technologies easily and quickly. At the same time, non-technical users can use simple tools such as tag managers to apply tags without editing code. The tracking process is further complicated by the fact that some third-party cookies are shared with fourth-parties.
In such a complex system, users’ personal and sensitive information can be processed by numerous vendors, which makes it extremely difficult for a company to track how personal data is processed.
In addition, as new data and business processes are added, companies need to track and update their privacy notices based on changes in business strategy. For example: a retailer that starts collecting geolocation data to make suggestions for nearby stores, or an online retailer that re-purposes users’ emails — originally gathered to notify customers of their orders — to send promotional material.
Another common change in data processing occurs when companies decide to share data with third-parties to reduce cost or provide a better customer experience.
Keeping data privacy policies up to date with dynamically changing data processing activity is a moving target.
Many companies, particularly large enterprises, operate in a multi-regulation environment that requires them to comply with a slew of privacy laws. As soon as new regulations are enacted, companies need to update their privacy notices or risk being out of compliance somewhere in the world.
Case in point: when The California Privacy Rights Act (CPRA) comes into effect on January 1, 2023, companies will need to update existing privacy notices to comply with the new requirements.
To address these challenges, consider these best practices:
- First, monitor all tracker activity by scanning your website periodically to detect when a change is made or a script is added, and ensure that the collection of personal data is automatically tracked and disclosed via a privacy notice. Ideally, notices should be dynamic and updated as cookies, personal data, and data processing activities change.
- Second, centralize the management of privacy policies to achieve a single-pane-of-glass view and notify privacy officers when their notices are out of date. This approach streamlines the privacy notice lifecycle by monitoring ongoing changes, and notifying administrators of any violations to privacy notices.
- Finally, use a legal research team to provide current and in-depth guidance on hundreds of global privacy laws, and advise how changes in legislation can affect privacy policies and notices. This intelligence can be used to reduce the burden of crafting custom privacy policies and notices to address specific requirements in regulations such as GDPR and CCPA.
Business processes are dynamic and constantly changing, making privacy policy compliance difficult to achieve using static approaches. Applying these best practices can help organizations move one step closer to staying in compliance with global regulations.
About the Author:
Helen Huang, Director of Product Management at Securiti, is an expert in data privacy, security, governance and compliance.