What's next: data privacy trends and insights

Building and sustaining your data privacy program

Orson Lucas

Orson Lucas

Principal, Advisory, Cyber Security Services, KPMG US

+1 704-502-1067

Steven Stein

Steven Stein

Principal, Cyber Security Services, KPMG US

+1 312-665-3181


Related service

Video transcript

Hi, I am Orson Lucas and I am one of the leaders of KPMG’s U.S. Privacy team and I’d like to spend some time talking to you about the trends that we’re seeing in Data Privacy.

Over the past few years, there’s been a sea change around data privacy. Globally, GDPR which is currently in effect, and current and emerging regulations in China, Brazil, India, and Russia all create a global complex landscape for global companies to navigate. Consumer companies with a presence in the United States are further challenged, with the pending implementation of the California Consumer Privacy Act (CCPA), which is effective on January 1st 2020, as well as other proposed privacy regulations in close to a dozen states. Rather than playing defense and chasing compliance with individual regulations, KPMG works with companies to establish a principles-based, proactive privacy posture that focuses on empowering stakeholders to use data in a way that can be accretive to customer growth and enriches the customer experience.

In our experience, building a privacy program from the ground up, and fine tuning a program within the diverse and complicated environments in which many of our customers operate can be a daunting proposition.

It is important to start early and leave ample time to address what are inevitably more complicated issues than anticipated. At the same time, it’s important to start with a solid, practical plan and clearly defined ownership and governance. We recommend organizations focus on five major privacy program capabilities to help streamline and demonstrate compliance, but as importantly, to build a program that is sustainable and agile.

These capabilities include the following:

  • First, start with your “Why.” While compliance may be the immediate burning platform, a check the box approach to privacy compliance will dramatically limit adoption and sustainability, and at a minimum will yield limited results and wasted investment.
  • Second, understand how, why, and with whom your organization processes consumer data. At the core of an effective privacy strategy is a clear and sustainable linkage between data usage practices, underlying technology assets, and data associated with those assets.
  • Third, detect data breaches and respond in a timely manner. Companies should focus on early detection of potential breaches, and build and regularly test data breach response plans, providing specificity for internal and external notices.
  • Fourth, allow your consumers to change how you process their data. This is a key point of interaction with consumers, and as a result, is an opportunity to provide transparency and take advantage of an interaction that is accretive to a positive and more engaged customer experience.
  • Finally, evaluate changes to processes, technologies, and regulations for their privacy and security impact. Adaptability is a critical success factor for a privacy program. Programs should be designed around generally accepted privacy principles and cross referenced to applicable privacy standards and regulations.
  • If you’ve found these insights helpful, we’d appreciate the opportunity to connect with you and see how we can help your organization mature its data privacy program. Thank you for your time and we look forward to hearing from you.