On October 9, Sentinel VP of Strategy Aaron Weller, FIP, spoke to Sonia Rothwell on the AICPA podcast Go Beyond Disruption. Titled “Build a Privacy Culture that Drives Success,” the episode delves into a topic at the core of Sentinel and its privacy management tool, Ethos.
Laws, organizational practices and the way we use data are rapidly changing, making information privacy a very interesting space these days. From drones to the internet of things to artificial intelligence, the legislative system is struggling to keep up with technology, and largely providing tech-agnostic frameworks and principles, leaving nuances in implementation details to the courts and regulators to sort out.
With this kind of legislative framework, we need to ask ourselves how we can go beyond simple compliance, Weller says. As anyone in security can tell you, you can be compliant without being secure. Similarly, in privacy, you can be compliant, but not be doing things in a way your customers, employees, or stakeholders would see as being in line with your corporate values.
The California Consumer Privacy Act (CCPA) has many companies scrambling to stand up a privacy program, because — particularly for companies only working in the U.S. — this is the first time they’ve had to think much about how they manage the data they hold. A lot of companies are asking what’s the minimum they need to do for compliance, but Weller says that’s not the way to be looking at this. It’s always a trade-off, he says. You may save dollars in the short term, but in the medium to long term, you may find spending more up front to drive the way the company does business will be more beneficial.
One of the ways Sentinel helps companies is to work with privacy and compliance team leaders to have more of a business-centric approach: Aligning privacy initiatives with the corporate strategy, networking across the organization and selling the program to leadership.
Privacy is a horizontal problem, and organizations that are built in a vertical way have trouble making decisions about things that touch every area of a business — for example, how to allocate a budget for an initiative that impacts many teams. Additionally, even very large companies may have relatively small privacy teams that can’t incorporate good privacy practices on their own. It’s imperative to have more than the people dedicated to privacy doing the work. “Privacy by collaboration,” Weller calls it, riffing off the well-known “Privacy by Design.”
So, how to get started with your CCPA compliance? Weller recommends starting with the public-facing elements — your privacy notice, the do-not-sell button, and other visible aspects of compliance with the law. And, importantly, understand whether you’re affected by all aspects of the law — you may not think you “sell” personal information, but the definition of sell is broad in CCPA, so you’d do best to have a close look at your practices.
The real takeaway for companies, however, is that California is one of 50 states. And while you may not be in scope for California, you will very likely find your company in the crosshairs of a privacy law soon. So, start doing the work now, and get an understanding of what it will take to get your privacy practices up-to-snuff before you find yourself under legislative deadline.