The following is a guest article from Mike Anderson, chief technology officer and founder of Tealium.
From virtual assistants to pillows that put the smart home to bed, CES 2018 was yet another showcase of how tech — and data — fuel modern life.
Each day, consumers become more dependent on devices that revolve around data: harnessing it to deliver services, as well as capturing valuable insights companies can use to streamline activity.
But lately there's been increasing recognition that with high data-flow comes responsibility, and legislation is shifting to implement greater governance.
Alongside state-level developments, far-reaching laws such as the General Data Protection Regulation (GDPR) are setting out stricter data privacy and security rules. And to meet these new standards, watertight internal polices, usage and vendor selection will be essential.
So how exactly is the legal landscape changing — and what can companies do to adapt?
The evolving shape of data law
CIOs know there is no universal federal law outlining how data should be gathered, deployed and stored. Instead, America is divided into a patchwork of state-level legislation, and many pieces of that patchwork are currently undergoing alteration.
To add to the confusion, this patchwork is woven together by governmental agency and industry group guidelines. While these recommendations are not enforced by law, and are merely self-regulatory "best practices," they have elements of accountability and enforcement components.
As a result, recommendations are being used as tools for enforcement by regulators more and more.
Last year, 21 privacy bills were proposed in 11 states — including Illinois, Washington, Minnesota, Massachusetts and Montana — largely in response to the scrapping of plans for national online privacy rules.
Meanwhile, California continues to be a standout data safety champion. After becoming the first state to enact a security breach law back in 2002, it has now introduced a proposed ballot measure: the Consumer Privacy Act of 2018. If translated into law, the initiative would require businesses to inform consumers of data collation and sales activities, and offer clear opt-in or opt-out choices.
The latest Californian proposal has much in common with data laws that will soon have a significant worldwide impact: the GDPR.
Set to go into effect in May 2018, the regulation will be the first consistent legislation that applies to all businesses processing the personal data of EU citizens, regardless of where they are based — which means it impacts U.S. and global firms.
Essentially, the key aim of the GDPR is to restore order by creating standards everyone can follow, while giving consumers more control and protection. Its most significant requirement is the consent provision: companies must ask for permission to access individuals' personal data (any insight that could identify them) via simple requests, which explain why the data is needed and how it will be used.
It also enshrines several rights such as the right to be forgotten, demand data erasure and receive a copy of the data companies hold. Moreover, there are further stipulations, such as privacy by design and data minimization.
Failure to comply could see companies faced with substantial fines: €10 million ($11 million) or 2% of total annual turnover — whichever is higher — for smaller transgressions, and up to €20 million ($22 million) or 4% of turnover for major breaches.
Why the change is good
Initially, the arrival of stringent local and international data regulations might seem negative, particularly with such heavy repercussions for non-adherence. But making the adjustments needed to achieve compliance will actually help companies prosper.
Right now, confidentiality is a major issue — 78% of U.S. internet users worry about privacy and 84% fear data hacks — and, as a result, trust in companies is diminishing. Yet, by driving companies to enhance data security and transparency, these new laws may offer the ideal solution.
In fact, with its emphasis on openly communicating why, how and where data is used, the GDPR could strengthen relationships between companies and consumers.
Furthermore, the process of bringing data processes in line with legislation is also likely to boost efficiency. For instance, to meet GDPR requirements (such as providing or removing information on request) companies will need fast access to every scrap of data they hold on specific individuals.
This means they must get data into optimal shape by bridging silos created by storing cross-channel data separately, and centralizing storage — a move with many benefits.
Not only does consolidation ensure compliance and improve data quality, but it also enables companies to create a complete view of individuals and their journeys that can be used to deliver more relevant, marketing experiences.
How should companies be preparing?
Despite the benefits of updated data legislation, it can't be denied that managing an array of complex state-specific and global laws will be challenging.
For U.S based companies, there is consequently only one way to guarantee compliance: raising the bar for data safety and privacy so high it exceeds the requirements of all regulations.
To do so, there are a few vital steps companies must take in addition to amalgamating data:
1. Highlight every alteration
Transparency is an essential part of the emerging legislative landscape, so companies must clearly communicate how procedures have changed to adhere with data laws. Externally, privacy notifications and digital policies should be updated to reflect adjustments.
Of course, with the GDPR, companies will also need to create mechanisms for requesting, receiving and demonstrating proof of consent — as well as issuing new requests if they want to use data for a purpose other than that originally stated.
Internally, it's important to make sure everyone understands the new rules, and works to uphold them. So, providing in-depth training about alterations and what they mean is key, as is offering support.
For instance, companies might set up a dedicated task force to oversee regulation implementation, document data management and monitor security.
Indeed, in the terms of the GDPR, it's mandatory for companies with more than 250 employees to hire a Data Protection Officer (DPO), whose primary function will be to meet those three objectives.
2. Get to grips with data flow
Keeping a firm grip on data will necessitate a comprehensive understanding of information flow, including where it's stored and deployed, and who has access.
In particular, companies should create a detailed record of the vendors they use and assess their activities to check they're in compliance with relevant laws and legislation.
After all, GDPR places responsibility on both data controllers — those who set up structures for how data is used — and processers: those who handle data on behalf of controllers. This means they could be held liable if vendors fail to comply with data regulations or implement sufficient security measures.
3. Consider extra precautions
At the heart of most upcoming data legislation, including the GDPR, is protecting the identity of individuals — and to offer maximum assurance that personal information is safe there are several techniques companies can leverage.
For instance, they might use pseudonomization, which swaps fields in data records that could identify individuals with artificial identifiers. Visitor stitching is used to recognize multiple identifiers belonging to one individual.
By correctly identifying cross-device users, it bridges the gap between silos and allows data handlers to easily access all insights held on a user.
The majority of CIOs likely began their GDPR preparations long ago. But with a few months left on the clock, it's a safe bet many still have a lot of work to do — and with several state-level laws pending, they'll soon be revising policies and procedures once more.
Yet, as convoluted as today's legal landscape might appear, the changes do make sense. Consumers want more control over their information and they want to understand how and why it's used.
By enshrining data clarity and security into law, regulators are putting companies on the path to regaining consumer favor and keeping their businesses alive. Plus, unified data processing will do a lot for experience optimization and targeting too.
Instead of bemoaning the coming slew of bills and protection acts, it's time to embrace them and harness the opportunity they really present for a better age of data management.