A CEO of a major company asking for government regulation is not a common occurrence and not something that most of us are accustomed to seeing. So recently when CEOs of more than 50 leading U.S. businesses, including Walmart, Amazon and AT&T, signed a letter to Congress urging the passage of a comprehensive federal data privacy law, it had some thinking: What’s the catch? Don’t most companies do all they can to avoid further regulation or oversight?
Before this letter can be dismissed outright as an attempt by companies to write their own regulations, let’s not forget two significant factors U.S. companies currently face:
- Congress has already drawn the line with data privacy by stating that any federal bill that represents a watered-down version of the California Consumer Protection Act will not pass with the needed votes.
- The majority, if not all, of major U.S. based companies already must adhere to the very strict regulations found within the General Data Protection Regulation (GDPR). Adhering to data privacy is not something new for U.S. companies.
If the motive of these CEOs isn’t to dilute an imminent state law and data privacy on a large scale is something these companies are already dealing with, then why was the letter necessary? In two words: chaos avoidance. There is a very real possibility that most U.S. states will develop their own data privacy laws, causing chaos that will benefit no one.
As this article regarding different state laws/bills points out, there are 13 different states currently in pursuit of data privacy laws. With amendments ranging from how to deal with automated decision making to the right to portability, each state seemingly is taking a different path to what they consider privacy rights.
Achieving proper data privacy practices at a company is in alignment with a well-run data governance program. The need for data stewards, access to data, data quality, metadata management, etc., are all similar, but 13 different privacy laws -- and the growing potential for more -- throws a wrench in all of it.
Imagine the complexity involved (some would say chaos) of having customer data from different states and needing to determine which ones need to opt-in as opposed to opt-out, which ones can’t have automated decision making applied and which ones prohibit the sale of personal information about the consumer to third parties.
Can these things be accomplished technically? Sure, they can. But is it a best practice that most benefits consumers the laws are trying to protect? Not even close. Data governance, and now the blending of privacy, are tough enough to do right: adding in the additional complexity of different state regulations is risky business.
Hope first, then act
It is often said that hope is not a strategy, but in this case, we need to begin with it. Hope that one fair and strict data privacy law is enacted that covers all the aspects that are important to consumers. Hope that numerous state laws don’t make the prospect of data privacy unattainable.
But beyond hope, there are also actions that can be achieved today:
- Build privacy by design into all processes. Start software development with privacy in mind – not after the fact.
- Ensure that all individuals within a company know their role in keeping customer data secure and safe. It is often the rogue employee that causes companies to be in violation. Think of the numerous times that employees transitioning to a new company potentially bring “their records” with them that include the personal information of customers.
- Treat data privacy as an extension of data governance, not separate. As mentioned, the requirements for proper data governance and privacy are interchangeable -- make the initiatives part of one big umbrella.
We all want (or hope for) data privacy and protection. How we get there via regulation is still an open book in the U.S. Multiple state laws that could potentially cause chaos or one federal law that leads everyone in one cohesive direction, will make all the difference if the U.S. is successful in securing the data of its residents.
Todd Wright is Head of Data Privacy Solutions at SAS. He is a respected expert on data privacy and management. You’ll find his insights on the topic featured in publications like the Wall Street Journal, InformationWeek, Datanami, insideBIGDATA, Tech Republic and more.