By David Gorbet
Next year will bring a new data privacy regulation in California, and it’ll pose a big challenge — and a big opportunity — for companies in and outside of the state.
The California Consumer Privacy Act goes into effect Jan. 1. The act, considered the most comprehensive of any state privacy law, provides consumers with new rights, including a right to transparency about data collection, a right to be forgotten and a right to opt out of having their data sold.
Companies impacted include those in the state with more than $25 million in an-nual revenue, those that derive at least half of their revenue from selling customers’ personal information, or those that buy, sell or share data from at least 50,000 consumers, households or devices.
While final guidelines are yet to be settled, the CCPA is another indication that data privacy and regulations will be more common in 2020 and beyond. The CCPA follows the European Union’s General Data Protection Regulation that went into effect in 2018, affecting 740 million people. According to the Internet Association, a trade association for internet companies that is pushing for more consistent federal regulation, 29 U.S. states have now passed laws related to data privacy.
Embrace to win
Regardless of where they’re based and who they serve, organizations today face a new data privacy landscape. Rather than resist such regulation, those who embrace it will gain a competitive advantage as they’ll actually be able to do more – not less – with their data.
Compliance, whether with CCPA or GDPR, essentially boils down to companies needing a better understanding of the data they hold, why they have it and what they are allowed to do with it. When companies gain this kind of understanding they’ll achieve a better customer experience – more personalized and more enduring based on transparency and trust. This will have a huge upside. Eight in 10 consumers say they’re more likely to do business with a company if it offers personalized experiences, and nine in 10 people find personalization appealing, indicates research from marketing firm, Epsilon.
So how do companies get started with data management with an eye toward meeting upcoming and future privacy regulation. Here are four key steps:
View data as an asset
The leading enterprises succeeding at addressing regulatory compliance are looking at data as an asset, rather than as a liability to be managed to avoid regulatory fines. These organizations make their data both highly accessible for analytics to drive strategic business decisions as well as to create personalized offerings or experiences for their customers.
To comply with any regulation—and to use data to its full strategic advantage—companies first have to know what data they hold, where it is and who owns it. This is no small task. Data is everywhere in an organization and personal information can be in multiple databases, spreadsheets, and other silos. If companies don’t know where all of their data is, they’ll struggle to adequately address such things as consumer consent. Inventory data to get a han-dle on what you’ve got. An incremental approach might work best so that the highest-profile data and compliance issues get addressed first.
Use metadata for a 360-degree view of data
The CCPA and GDPR, and regulatory compliance in general, effectively requires companies to have a 360-degree view of their data. Achieving such a view means breaking data out of silos and integrating it in a central hub where it can be governed according to consistent policies and accessed appropriately. This governance and management of data depends on being able to manage metadata. For example, if my data includes an email address, I need metadata telling me what consent I have for its use. If it’s consented for billing but not for marketing, my data hub should make it available only for billing use cases and not for marketing. Metadata also enables you to know where data came from, when it arrived, if, how and when it was changed, and who changed it, providing the context neces-sary for an accurate view. Because use cases, regulations, and policies change frequently, look for a modern data management system that is flexible enough to support your changing regulatory and business requirements.
Centralize data governance policies
It’s difficult to ensure trust and ac-countability in data when data is sourced from many different silos and applied to many different use cases. However, when governance policies regarding such things as restricted access to personal information, for example, are embedded in a central data hub, they can be applied to any use case, ensuring that the data is always fit for purpose. This allows for more standardized, automated and auditable application of data governance policies, without having to educate everyone in your organization every time a policy changes.
Moving past point solutions
As companies look toward compliance with CCPA, they’ll be tempted to pursue a solution that fits that one regulation. Indeed, many enterprises are addressing CCPA and GDPR as one-off regulations, which creates a siloed approach to any data management strategy. When companies address new regulations in this way, they end up with a privacy silo to meet the needs of that one regulation. As new regulations come along, more silos are created to address them, resulting in a disconnected mess.
Instead, the CCPA and GDPR—and whatever regulation is to come in the years ahead—should encourage organizations to move past ‘point solutions’ for gov-ernance and compliance, and integrate data into a single platform to see across all business silos.
This complete view gives the necessary context around data that drives decision-making and personalization for consumers. The smart companies are seeing these regulations not as a tax they have to pay, but as an opportunity to finally build that customer 360 view that can drive their business forward.
David Gorbet is the SVP engineering at MarkLogic.