GDPR, CCPA, and Data Compliance Best Practices for Accounting Marketers
Mark Hinely, KirkpatrickPrice
If you are vaguely familiar with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and similar data privacy concepts, then you may also be precisely confused about where to start and how to become compliant. To make things more challenging, according to the European Union, direct marketing activities have generated the most GDPR complaints of any data privacy issue. We want to give you three steps to facilitate data privacy when it comes to marketing. First, know thyself – conduct internal evaluations of your data privacy obligations. Second, create an internal privacy framework as a roadmap to compliance. Third, create, improve, and maintain data flexibility.
Organizations that perform data mapping exercises are in a better compliance position. Data mapping is the process of drawing a “picture” of an organizations personal data elements, uses, sources, and disclosures. For example, to understand your data privacy situation, ask yourself:
- What data do you have?
- Certain data elements, such as names and email addresses, create less compliance risk while other elements such as photographs and identification numbers (such as Social Security Numbers) create much greater risk and therefore require greater protection.
- Where does that data come from and where does the data go?
- Whether you’re collecting data directly from consumers or third parties, or if you’re sharing data with third parties, there are privacy requirements that you must meet.
- Do you need all that data you are currently receiving?
- If you are requesting certain personal data that you don’t need for marketing purposes, then you need to reduce your request for information.
Knowing yourself by conducting data mapping exercises is helpful for at least two reasons, including:
- First, you need to ensure that your compliance measures are proportional to the compliance risk, and you can only do that if you know exactly what your data privacy posture looks like.
- Second, you need to know precisely what personal data:
- may be deleted,
- requires certain breach notification,
- requires consent for use, and
- may not be shared with certain third parties.
Create Internal Framework for Privacy
Privacy requirements are confusing and diverse, so creating an internal framework reduces confusion and creates consistency. The framework should include privacy principles that apply across multiple privacy laws and incorporate good business practices. Here are 6 elements for an effective internal privacy framework:
- Notice and Disclosures: GDPR and CCPA require organizations to notify consumers about what personal information they collect, when and how that collection occurs, how the organization will use personal information, and any third parties with which the organization shares personal data. Corporate privacy policies posted to an easily-accessible location on your website (i.e. less than two clicks from the home page) serve as the most common and effective method of consumer notice.
- Breach Notification: If your organization experiences a breach, you must generally notify certain government authorities and affected individuals about certain aspects of the breach within a certain time period.
- Permissible Purpose: GDPR requires organizations to have a valid legal basis for using personal data in marketing, and CCPA prohibits selling personal data without consent. If you buy or get leads, ensure that your source had legal basis (such as consent or contract) to obtain and share that personal information with you.
- Risk: Organizations should identify and mitigate information security risks, but sometimes there is tension between privacy and information security risks. For example, unauthorized access to personal data is an information security risk, but an inability for a consumer to access their data is a privacy risk. Sometimes a privacy risk has no security risk at all – sending marketing communication to a person who has opted out of a marketing campaign is a significant privacy risk but has no impact on information security. Other privacy risks include disclosing personal data to the wrong consumer, sharing incorrect data with third parties, and using personal data to discriminate or embarrass a consumer.
- Designated Responsibilities: Data privacy compliance works best when organizations create specifically assigned roles and responsibilities. GDPR requires most organizations to appoint a data protection officer (DPO), but even if you aren’t required to designate a DPO, there is value in having an individual or team responsible for monitoring consumer rights, disclosures, risk, data retention, and vendor management. Some organizations take data privacy responsibilities one step further and create “data owners” in each functional area of the business (such as marketing, human resources, and product development) to oversee access, use, and disclosure of personal information.
- Vendor Management: GDPR and CCPA both impose restrictions on sharing information with third parties, even third parties performing normal and crucial business services like data analytics and data storage. So, your organization should perform thorough due diligence on vendors before sharing personal information by doing things like obtaining third party audit reports from the vendor, reviewing vendor policies and procedures, and requiring the vendor to fill out questionnaires. Your organization should also execute vendor contracts that place the same expectations of privacy on the vendor that are placed on your own organization.
Create, Improve, and Maintain Data Flexibility
- GDPR and CCPA requirements and trends in data privacy business practices indicate that products, services, and software applications that can easily and automatically delete, provide access to, correct, update, and temporarily quarantine personal data in the easiest, quickest possible manner will not only be more compliant but will also create a business advantage since regulators and consumers want to shift the control over data from businesses back to the consumers. Specifically for marketing, the ability to automatically opt out of direct marketing campaigns is the most straightforward – and most complained about – data privacy right, so companies and marketing departments should create the simplest direct marketing opt-out methods possible.