Creating data trust
January 30, 2023
Companies with global privacy operations have been in intensive, costly cycles of readiness and compliance with regulations that came in quick succession: the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and more than 2,500 laws governing data privacy.1 Compliance programs emerged in piecemeal fashion to comply with separate regulations. Eighty-eight percent of global companies say GDPR compliance alone costs their organization more than $1 million annually, while 40% spend more than $10 million.2
The piecemeal, ad hoc approach is untenable.
First, privacy legislation and regulation show no signs of abating globally or within Canada. Law 25 (previously Bill 64) recently passed in Quebec. Ontario, Alberta and British Columbia are also proposing new requirements, which would create additional compliance obligations for Canadian businesses. Federally, Bill C-27 would enact Canada’s Consumer Privacy Protection Act (CPPA) and update parts of the Personal Information Protection and Electronic Documents Act. These changes will be significant: a recent PwC Canada survey found that one in five (21%) of Canadian businesses expect to spend $10 million or more to get ready for the CPPA, and 37% expect to hire 10 full-time staff over the next two to three years.
Second, the areas of responsibility for privacy professionals have been continually expanding beyond data inventory and mapping. Privacy impact assessments (PIAs) are cornerstones of privacy programs, and they’re increasingly required in new and emerging regulations. Consumers are increasing their privacy IQ and are more likely to exercise their rights. Many companies are already seeing a rise in access requests from consumers, and innovation in the development of privacy-enhancing technologies is happening at a rapid pace.
You need to get ahead of all this for the sake of your privacy team and your business. But to do so, you need to check out of “compliance” mode and into a long-term, strategic, privacy-first approach that extends far beyond compliance checklists and audits.
Keeping personal data secure and private—and making sure customers and shareholders know you’re protecting their information, and how—is critical to the success of any business. The good news is that if you’re doing privacy strategically and enlisting the company’s support, you’ll likely find compliance is a lot easier.
This long-term, strategic, privacy-first approach starts with a good foundation we call data trust: making sure you’re using data responsibly, securely and ethically so you can rely on it for business decisions and growth. In our recent 2022 Canadian Digital Trust Insights report, only approximately a third of respondents indicated they have mature, fully implemented data trust processes in four key areas: governance, discovery, protection and minimization. Furthermore, only 36% of organizations have mapped all of their data. Even fewer (29%) have mature data minimization processes.
So how can you put privacy first in your organization—building on the data trust foundation?
Counterintuitive though it may seem, now’s not the time to shift your privacy program into overdrive. Now is the time to take a step back and view the big privacy picture. Then, having perspective, you can start to make big plans that will position your organization as a privacy leader tomorrow, as well as today.
Step 1: Rethink and reset your privacy operations strategy
Take stock of your current state and reset your privacy strategy to align with your broad data and business strategies. Determine what it will take to get there, including rethinking your privacy operations model and underlying resources and talent.
Understand the pain points, inefficiencies and risks of your current processes.
Understand your existing privacy tech landscape. Where can you automate and/or tech-enable to gain efficiencies?
Understand your operating model. How and where are resources being utilized, and where do you have talent gaps and/or need more resources?
Tie your privacy strategy to your data trust strategy. Evaluate the four capabilities defined by our data trust framework: how well a company governs, discovers, protects and minimizes the data it holds. Data governance is the process, and data trust is the outcome: data that decision makers can rely on and data use that’s ethical, safe and trustworthy.
Nearly one in five organizations that responded to our 2022 Canadian Digital Trust Insights survey have no formal data trust processes in place at all—and these are key next steps to the successful execution of your data trust strategy.
Gain a broader perspective on the tasks and challenges faced by business partners, including marketing, data governance, data analytics, IT and cybersecurity, sooner than later. Start to view this as a horizontal challenge for your vertically structured organization. As we found in our CPPA impact and readiness survey in the spring of 2021, resources from not only chief compliance officers are being allocated towards readiness, but also resources from chief information and chief data officers. Bringing together teams from across the enterprise is critical to connect the dots on the most urgent opportunities requiring privacy support, including quick wins that could be attained with less effort and collaboration.
Resetting your privacy strategy to improve its effectiveness means building a privacy program in which your business strategy, your program strategy and your resource strategy dovetail with each other. Synchronization of all three is the ideal future state.
Step 2: Accelerate efficiencies in compliance by standardizing and automating certain processes
Much of the work your privacy teams are doing now could likely be handled more efficiently and even more effectively by digital technologies. Rather than significantly increasing the number of full-time equivalents (FTEs) allocated to your privacy teams, artificial intelligence (AI) can perform an increasing number of tasks, especially those that your teams do repeatedly, such as privacy impact assessments, answering access requests from individuals and data mapping. Automation makes it easier to get, and stay, in compliance with existing and new laws and requirements.
Streamline compliance processes, taking into account the problems, challenges and risks you face regarding data privacy. Handling access requests, for instance, has become a full-time job (or more than one) in itself. But if you create a standardized process for answering them, you can let automation do this time-consuming task for you—while adhering to the laws you need to follow.
Use managed services for certain functions. Outsourcing the tasks that privacy teams perform repeatedly and frequently—things like privacy impact assessments, access requests, data inventory mapping and incident management—may be easier on your budget and your staff’s time. Managed services can also be critical for strategic support if you have a resource shortage, and they can help confirm you won’t fall out of compliance.
Use technology and automation to perform as many tasks as is feasible and save time and money. Instead of using spreadsheets to track workflows, manage data and administer projects, for example, use software and solutions to do these jobs and automation to confirm you’re staying compliant. How much technology and automation you use will depend on your organization’s size, complexity and risk profile.
Consider developing a de-identification strategy. By keeping a significant volume of personal information on hand, organizations inherently increase their compliance burden—and create a need to deploy controls to protect that information. By considering a de-identification strategy, organizations can assess whether it’s possible to continue to execute on their strategic priorities without driving up compliance efforts with an ever-increasing pool of data.
Step 3: Reconfigure your long-term resources and operating model
Now that you’ve revamped your privacy strategy, your executive team must determine which skills your privacy team will need to accomplish your organization’s goals and how to derive the most value from your staff. Here are three models from which to choose.
Full in-house model (highest headcount). In this model, your company gives a high priority to privacy, decides it’s a core competency and staffs the privacy team with long-term employees.
In-house and consultant model (middle headcount). Some companies may want to quickly put privacy protections in place for multiple brands and lines of business while containing headcount costs. Rather than spend time on finding and training qualified personnel (who are in short supply), you may hire consultants to augment your core privacy team.
Tech-enabled, managed service model (lowest headcount). A surge of private investment in privacy technologies and the emergence of global privacy managed-services offerings have created a third path for companies. Using this model can improve your compliance, help reduce your costs and free your privacy staff to focus on strategy.
Much of this content was originally published by PwC US. Find the original article here.
1 “The 2021 global privacy regulation wave,” Jay Cline, LinkedIn Pulse, November 30, 2020, https://www.linkedin.com/pulse/2021-global-privacy-regulation-wave-jay-cline/.
2 “How much does GDPR compliance cost in 2021?,” Luke Irwin, IT Governance European Blog, June 10, 2021, https://www.itgovernance.eu/blog/en/how-much-does-gdpr-compliance-cost-in-2020.
Related content
Contact us
National Data Trust & Privacy Practice Leader, PwC Canada
Tel: +1 416 869 2384
Managing Director, Cybersecurity & Privacy, PwC Canada
Tel: +1 416 815 5108
Follow PwC Canada
