EPISODE 49: Data privacy continues to be affected by new state, federal and global regulations, which companies will need to navigate in 2021. In this episode of Growthcast, DHG covers key privacy concepts, potentially emerging regulation in 2021 and how to improve your company’s cyber incident management.
[00:00:09] JL: Welcome to today’s edition of DHG’s GrowthCast. I’m your host, John Locke. At DHG, our strength relies on our technical knowledge, our industry intelligence and our future focus. We understand business needs and are laser-focused on company goals. In this ever-changing world, DHG’s GrowthCast provides insights and thought-provoking conversations on topics and trends that address growth opportunities and challenges in the current and future marketplace.
Thanks for joining us as we discuss tomorrow's needs today.
[00:00:42] ANNOUNCER: The views and concepts expressed by today's panelists are their own and not those of Dixon Hughes Goodman LLP. Always consult the advice of your legal and financial professional before taking any action.
[00:00:58] JL: Our topic today is data privacy regulations, and our guest is Tom Tollerton, managing director in DHG’s cyber security practice. Welcome to GrowthCast, Tom.
[00:01:08] TT: Thanks, John. Happy to be here. Thanks for having me.
[00:01:10] JL: Well, listen, what a great topic to start off our new year. One that’s I think is on everyone’s minds who’s in business and even at home. But this whole topic of data privacy and the regulations around it are just huge in our everyday life. So let’s kind of start at the very beginning here and go with the basics. What is data privacy?
[00:01:34] TT: When we talk about data privacy, we’re taking a little bit different step from data security. We think about data security, which is of course a hot button topic as well. We’re thinking about trying to keep data away from unauthorized viewers, protecting based on the confidentiality into a certain degree, the integrity of that information. When we talk about data privacy, we’re taking a look at how are organizations that are supposed to have our information, that we’ve given access to intentionally, how are they using it and making sure they’re using it in a way that’s appropriate and frankly, that we as consumers have given them the right to handle.
[00:02:19] JL: When you think about that in the context of the expectations of the consumer, what are they and what are the consumer rights around that?
[00:02:29] TT: Absolutely. It is our information, our health information, our financial records and social demographic information. That’s about us and that’s our information, is the fundamental concept behind privacy. We’re talking about rights. We’re talking about frankly, the right to be left alone and the right to have information taken away from people if we don’t have them to have it, assuming that it follows right legal recourse. The right to know how our information is used, the right to limit what can be done with information, the right to have it corrected if it’s incorrect, wherever it is and having a path by which — means by which to do that. It’s respectively giving the right to have visibility and transparency into how their information is used.
[00:03:21] JL: I think this topic has really been around almost since the beginning of the Internet. And we deal with this personally and professionally every day at some level, so why is privacy such a hot topic right now in the industry?
[00:03:37] TT: Well, frankly, it’s a hot button issue because we continue to see violations of consumer privacy and privacy of data., That we see the major data breaches of confidentiality, of security breaches if you will. And all along with that goes the privacy implications of that. Date breaches are certainly one reason, and we’re starting to see situations where companies aren’t really being — I’ll use the word honest or ethical stewards of our information. The Facebook and Cambridge analytical scenario of several years ago where political analytics company was effectively using information from Facebook that Facebook was giving them without consumer consent. Really drawn a lot of attention to privacy.
Then we start to think about nation states actually starting to look at our information without our knowledge. The NSA for example has begun really taking deep dives into phone records, frankly without consumer knowledge. There’s facial recognition technology that’s being used in China for social control. Then Chinese companies, Huawei is great example. There’s a huge scandal right now around whether or not Huawei, a Chinese company is monitoring US networks, and monitoring consumer activity, monitoring government. Just a ton of different reasons why we need to start paying attention to what information we’re putting out there and how it’s being used.
[00:05:23] JL: Well, it’s interesting to follow the headlines on this and to your point, see the repetitive violations that seem to be made consistently by organizations and nations and things like that. I just don’t know where this is all going to end, but there’s consequences for all this, right? What are the consequences associated with all these violations?
[00:05:50] TT: Absolutely. I mean, the sale of our personal information for market research purposes is really starting to frustrate consumers. Obviously when we see that nation states and governments are looking in our information, and apps, and our wearable devices and all of this information that we sort — all these great tools that we’re using are collecting this information. Could potentially be used against our knowledge and against us. It’s really frustrating to consumer.
I think what the outcome is ultimately going to be and we’ll talk about this here in a second. But it’s really just an increased desire for transparency and introducing regulation that ensures that consumers are protected. How is our data collected and use, bring transparency into privacy policies and privacy notices, determining who should have access to information, forcing organizations and companies to disclose that to us. Then just bringing additional transparency again to data accuracy, and giving us the ability to make corrections to our information and attended to it as we see fit.
[00:07:07] JL: I’d tell you, all of us can relate to this whole concept of data accuracy and really trusting the numbers that are being put out. I mean, we’ve just gone through an election and we’ve gone through a lot of data around the COVID-19 crisis. Let’s face it, there’s a crisis of trust out there around some of this and it’s gone to a point where a lot of people are just shutting down and not caring about what they’re hearing, because they don’t trust the data. They think it’s been manipulated. When you think about privacy concerns and what’s going on with the management of this data, how this has impacted the industry right now?
[00:07:55] TT: Well, I mean what we’re seeing are, frankly states in the US starting to set precedent with their own legislation around data privacy. At California, just a couple of years ago was the first state in the US to issue comprehensive data privacy regulation. There are couple of other state regulations around biometric information and some cyber security breach notification. But California’s law, the California Consumer Privacy Act, which went into effect actually January of 2020, really set stringent requirements around transparency and disclosure of how information is being used. It has really shaken frankly all industries that are operating in California because it required some transformative action to change websites, change data flows, integrate systems, introduce new processes to give consumers access to their information and correct information if a certain request was made to do so. A lot of different requirements that companies weren’t customed to.
We’re starting to see the same thing in other states, frankly. The New York Privacy Act is currently in the New York legislature and they’re considering that. I think it actually takes CCPA to — it takes California law to another level. California has already enhanced their own law, which will go into effect in a couple of years. Washington state is looking at options. There’s sort of this patch work that’s being built around privacy regulation. What ultimately, I think this will lead to frankly is federal legislation at some point in the next probably year or two, maybe three. There will be standardized privacy legislation that companies in all industries of all sizes will have to pay attention to and be prepared to address.
[00:09:58] JL: Well, that’s a real interesting challenge I think that we’re facing around many gene, the expectations around regulation. Because I think we’re moving into a world that is — you look at what’s happened with the regulation just around all the COVID issues and businesses are really getting more and more concerned about being overregulated. I’m just curious, when you think about this regulation coming from the states and then federal, is there anything that businesses should be doing right now to make sure that they’re prepared internally so that they can stay ahead of the regulation and maybe keep their even cost down once the regulation is enacted?
[00:10:47] TT: Yeah, that’s a great question. I mean in these national companies that operate in multiple states, I hope we don’t get to the point where we’ve got a dozen different privacy laws that companies have to deal with and address each with their little minor differences. Frankly, I don’t like over regulation myself. But in this case, federal regulation that guides, that’s comprehensive might advantageous to address the issue. But I mean, companies at this point really need to start understanding what consumer information they have, either as part of their own business operation or as part of being a service provider to another organization. We work with a lot of companies who sometimes don’t have the full picture around exactly what the nature and volume of consumer information is that they’re managing.
That’s always our recommended starting point, is due diligence around mapping out data within your IT infrastructure, within your data flows and data processes to make sure you have an understanding of that. Then assigning responsibility, usually to an IT person or general counsel or security officer to start to consider data privacy concepts, and policies and procedures. And enhance just organizational control for the benefit of the consumer. Those are typically our recommendations for starting points.
[00:12:25] JL: In your world right now, Tom, what do you see in the work with the DHG clients right now? What are some of the major changes that people are making and therefore are seeing some positive outcomes? In other words, they’re investing some time and resources and maybe even outside assistance in doing so. They’re making some changes and then as a result, what’s happening for them? What are you seeing in your world?
[00:12:57] TT: Absolutely. I mean, first, I would say, governance, the implementation of security and privacy governance from the top down is where we’re starting to help clients or where we are helping clients. It’s really beneficial because security or privacy from the bottom of the IT operation, security analyst or privacy analyst can’t drive policy, can’t drive management of privacy practices up. It has to come from Board of Directors, executive levels down. That’s where we see a lot of success.
Then I’d say, if I were to give another example of some success, is around vendor or supply chain management. When we look at what data we have in our organizations, very often it’s outsourced in some capacity to a third party. Whether that’s an IT cloud service provider, whether that’s a data processing company, a software as a service company. We have these huge networks of third-party providers who are handling information on our behalf. And we have to get our arms around what are they doing. When we hand them this information, what are they doing to A, comply with regulation but B, also look out for the benefit of our company and of our consumers, our customers. We’re starting to do a lot of vendor management and supply chain management assessments as part of our work with client.
[00:14:34] JL: Great. Well, I want to just thank you again for all the work that you’re doing to help keep many of our clients safe and provide insight to them for the priorities around all of the issues of data security and data privacy. I know that this is something that we all individually deal with, sometimes when we walk into the office or into our organization. Maybe we don’t give it as much thought, but it’s the era in which we need to be doing that. So thanks for this great reminders, Tom and for being with us today on GrowthCast.
[00:15:11] TT: Absolutely. Thank you again, John.
End of Interview
[00:15:13] JL: Thank you for joining us today as we discussed the topic of privacy regulation with Tom Tollerton, managing director in DHG’s cyber security practice. We hope that the information Tom shared today will heighten awareness around the priorities and responsibilities associated with protecting and managing data within your organization. I’m your host, John Locke, and I look forward to reconnecting with you soon on an upcoming episode of DHG GrowthCast.