In verbatim feedback, respondents pointed to other actions their organizations are taking, including training and educating employees, developing task forces and industry groups, and adopting new technology solutions. On the latter front, new data privacy technologies are increasingly being seen as a quick fix – but that can’t replace the hard work of implementing new processes, policies and governance structures.
Below, we dig deeper into critical compliance actions.
1. Designating a project manager or owner
Of the 85% of respondents who have designated – or are in the process of designating – a project manager or owner, 70% say the individual overseeing the process of complying with state data privacy laws is in the technology (56%) or information systems (14%) department. A smaller share resides in risk or compliance (18%) or legal (11%).
As noted above, technology or IT departments that are already inundated with other tasks may not be in the best position to single-handedly lead data privacy compliance. The nature of these initiatives lends itself more to a cross-functional task force approach that includes risk, compliance, legal and tech professionals.
“While procuring the right data and enacting some of the necessary changes often requires technical professionals, the process of preparing to comply with state data privacy laws can also benefit from the involvement of broader risk management and governance perspectives,” says Cho.
2. Data mapping
Data mapping is a key aspect of any data privacy initiative. Nearly half (49%) of respondents have completed this action, and 37% say it’s in progress. Yet when this group was asked more granular questions about the steps they have taken to do so, it became clear that more work needs to be done.
The majority of respondents have undertaken initial actions, with 54% initiating a data mapping and 67% completing a data inventory and mapping of all personal information, data assets and flows. But less than half of respondents to this question have undertaken later steps, such as completing a data mapping and aligning procedures to effectuate individual rights requests and related legal obligations (48%) or being on track to update an existing data inventory or mapping (43%).
The lack of preparedness is significant given that CCPA compliance requires organizations to be able to satisfy a consumer’s request to disclose all personal information they have collected, sold or shared in the previous 12 months.
3. Privacy policies
Of the 81% of respondents whose organizations have updated or are in the process of updating their privacy policies, a large portion has focused on initial actions, including researching new or changing privacy laws (71%) and consulting with a team of stakeholders to discuss policies (63%). Just over half (53%), however, have actually drafted the new or updated policy, and less than half (46%) have informed customers or clients about it.
“Drafting new or updated policies can be difficult right now, as they will need to be amended once the final regulations come down,” says Claypoole. “While initiating conversations on these policies is important, it’s a relatively easy fix compared with the work that needs to be done to build out new structures, bring on the right talent and vendors, and establish the governance and procedures needed to stay in compliance with these laws.”
We also asked survey participants about the influence that consumer privacy-related requirements from tech companies have on their own privacy policies as compared with compliance requirements in state privacy legislation. Though executives on a whole were more influenced by state laws – the average rating fell at 7.2 – tech and especially retail respondents were slightly more swayed by the influence of tech companies. The average rating for tech executives was 6.9. Retail executives fell essentially in the middle, at 5.6, suggesting that each factor influences them relatively equally.
“We depend on those relationships, and we need to stay in compliance with their guidelines,” a VP of information systems for a financial services firm said of tech companies’ influence. A COO of a California-based retail company added, “We are at their mercy due to search and advertising.”
Perspectives on a Federal Data Privacy Law
For years, Congress has tried and failed to pass a federal data privacy law. Sticking points stem from two key issues: whether a federal law should preempt state laws and whether the law should allow for individuals to file lawsuits against companies for violating their privacy (as in the CCPA).
The executives we surveyed largely agree on the first issue – that a federal law should overrule state ones – echoing the opinions of corporate and technology trade groups concerned about a growing patchwork of state laws. Nearly 9 in 10 respondents agree that they would like to see a federal data privacy law passed that preempts individual state laws and creates a consistent set of requirements, with 53% strongly agreeing. A higher percentage of retail executives strongly agreed (63%), in keeping with their higher level of concern expressed throughout this report, as did respondents at the C-suite level (62%).
“If you ask business leaders whether they want their laws simple or complicated, they’ll say simple almost every time.”
For Claypoole, a desire for an overriding federal law makes sense. “If you ask business leaders whether they want their laws simple or complicated, they’ll say simple almost every time.”