The EU’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. The January 1, 2020 deadline for the California Consumer Privacy Act (CCPA) had barely passed when its successor—the California Privacy Rights Act (CPRA)—was signed into law. Data privacy regulations such as these have ushered in a new era in the world of compliance management software, data security, and the rights of individuals with regard to privacy and control of their personal information.
However, GDPR and CCPA/CPRA were only the beginning of a cascade of data privacy regulations that dictate how companies around the world can (and cannot) use their customers’ personal information. With clear mandates to return control of such data to customers—and stiff penalties for not doing so—organizations now have the arduous task of meeting compliance with an ever-growing set of regulations.
First there was the European Union’s GDPR, then Brazil’s LGPD, California’s CCPA and CPRA, Canada’s PIPEDA, India’s DPB—the list can and will go on and on. While each of these regulations originates in its own country, state or province, their reach is truly global: they affect every organization doing any kind of business with citizens in those jurisdictions. Each one, of course, is different in its scope and reach, not to mention the details of what compliance means and the potential penalties for non-compliance. It’s safe to say that no industry is immune or exempt from these mandates, given that every company has customers and therefore customer information stored on their systems.
The larger the enterprise, the larger the compliance target painted on its back. And the more siloed systems from which you have to unearth and correlate customer data to manage that risk and ensure compliance. For these businesses, the ever-changing landscape of data privacy regulations likely means one of three things. Ignoring the mandates will lead to massive fines, and the brand damage and loss of customers could be of even greater magnitude. Manually handling the data subject access requests (DSARs) could cost almost as much—over $1,400 USD per DSAR according to Gartner. Or the organization can embark on a course of endless IT projects to handle each new regulation as it is passes—first GDPR compliance software, then CCPA compliance software, then—it doesn’t end. What other options does the enterprise have?
Whether it is GDPR, CCPA, LGPD, or any that have or will follow, there are some key data privacy concepts they all have in common. That is, they guarantee consumers a basic set of rights when it comes to their personal information:
Smaller extractions: Heavy processing of data transformations (e.g., I/O and CPU processing of high-volume data)often means having to compromise on smaller data extractions.
Complexity: Traditional ETL is comprised of custom-coded programs and scripts, based on the specific needs of specific transformations. This means that the data engineering team must develop highly specialized, and often
In a nutshell, your organization should take compliance management seriously or it might not stay in business at all. If implementing a new compliance management software project each time a new regulation comes along sounds expensive, non-compliance can be financially disastrous to the enterprise. And it is getting more expensive with each passing year.
Manual DSAR processing—that is, providing a form where customers can fill out a request, then fulfilling it with manual processes—can actually be more expensive. Some of the more involved DSARs include access to whatever data you have about them, to data portability, and to have their data purged. According to Gartner, the average cost of manual DSAR processing is $1,400—even higher for larger companies with customer information scattered across hundreds of applications and databases. Even if you anticipate a relatively low volume of customer requests, the costs can mount up quickly when your customer base is in the tens of millions.
As if the fines and operational costs aren’t enough, there may be even worse consequences that affect the continued viability of the enterprise: broken trust with the customer and the inability to use their data going forward. At a time when data is the new “oil,” with every business striving to differentiate via customer experience—not to mention social media amplifying the voices of your company’s advocates and detractors—this has vast implications that extend well beyond those created by fines or sanctions.
Smaller companies, whose customers number in the hundreds or in a limited geographical area and that have only a handful of operational systems and databases—can probably get by with manual DSAR processing on a one-off basis. In today’s global economy, customers can be practically anywhere, subjecting the company to multiple data privacy regulations. Not to mention keeping track of the nuances and compliance requirements of every new regulation that comes along. F
or larger enterprises, a manual approach simply won’t scale. The core of the problem, though, isn’t the rapid appearance of new regulations. The problem for enterprises is that their customer data is managed by dozens or even hundreds of siloed systems and fragmented across as many data islands. This makes implementing compliance management software that maintains control over all that customer data—and satisfying all the requests for customer consent, portability, purging, and so on— a nightmare for large organizations.
Traditional approaches to fragmented enterprise data have big drawbacks. And that’s before you even consider applying the rules necessary to satisfying data privacy regulations. And still others ultimately require extensive customization.
Regardless of the drawbacks to these different approaches to data privacy management, ignoring the avalanche of regulations isn’t an option. The third approach—implementing data privacy workflow management software—is most common today. It tries to address data privacy as a people-and-processes problem, but it fails to address the data part of the problem. In other words, these case or workflow management tools only deal with the “front end” of Data Privacy, leaving the “back end” activities—the hard part—to manual labor. For over 40 years, enterprises have been building and buying software to solve specific problems—so we’ve ended up with hundreds of customer-centric solutions—CRM, customer support, billing, customer feedback, self-service portals, churn prediction, credit scoring, fraud prevention, and on, and on—each with its own customer data. That means to fulfill a DSAR, you have to touch all these back end data sources.
To truly manage the complexity of data privacy and compliance requires a single, up-to-date, and complete view of every customer—regardless of how many siloed applications and databases that data comes from. A compliance management software solution must...…
No one will argue almost every enterprise around the globe will eventually be touched by at least one data privacy regulation.
For larger, global companies, it is inevitable. None of those companies will suggest that manual workflows and processes can scale to meet the compliance management challenge of even one regulation, much less the avalanche we are already seeing.
The problem is that the sheer number of customer systems and databases, not to mention the massive amount of customer data in those siloes - makes accessing, controlling, and updating customer data to comply with the regulations one of the toughest challenges companies will face.
However, we truly believe that compliance management software must solve the data problem underneath. Truly addressing the data problem is the opportunity and the key to a rapid, efficient, scalable, and (yes) end-to-end compliance management software.
We invite you to explore the issue—and its solution—on this site.