Insight

Privacy implications across the ecosystem

Managing data and maintaining privacy compliance throughout the supply chain

Orson Lucas

Orson Lucas

Principal, Advisory, Cyber Security Services, KPMG US

+1 704-502-1067

As today’s data ecosystem continues to expand exponentially, organizations have plenty to gain in their pursuit of data-driven business models. With the proliferation of cloud computing and the ubiquity of mobile devices and social media, consumer and employee data are being collected, analyzed and shared at unprecedented levels. And as organizations transform the way they operate by outsourcing to an ever-evolving vendor landscape and collaborating with a much broader set of trusted partners, this movement and manipulation of data only increases in complexity.

At a foundational level, organizations continue to battle with the most fundamental privacy challenges: understanding what data is collected, how it is used, disclosure around data management practices, and ensuring retention meets obligations and business needs? Do you know what data your organization is really processing, let alone your third-party ecosystem?

Organizations are slowly waking up to the fact that this privacy challenge cannot be solved with conventional methods, and that there is a need to fundamentally revisit existing approaches. This change requires not only leveraging new technology, but also cultural and programmatic approaches to data management.

With a backdrop of growing privacy, security and ethical concerns and regulatory scrutiny in the wake of the pandemic, the importance of knowing and understanding your data becomes a central focus. Nowhere does this play out in the privacy arena more clearly than in the area of data subject rights (DSR).

Under a growing number of regulations across the globe (the GDPR for European citizens, the California Consumer Privacy Act in the US, and the LGPD(The General Data Protection law) in Brazil, to name a few), consumers (and in some cases employees) have gained legal rights to support increased visibility, transparency and control around the data companies have collected or purchased.

From a consumer perspective, this has been an incredibly impactful change and has allowed privacy advocates and laypeople alike to make better choices about the companies they interact with and to better control what data the company collects. From a corporate standpoint, though, timely and accurate fulfillment of such rights has proven tremendously difficult, especially at scale. Two factors largely drive this:

  1. Proactively building and maintaining a program and systems to manage personal data across a large, complex ecosystem that encompasses a wide array of partners (including third-party suppliers, governments, research institutes, contractors etc.) can be difficult. For many industries that have not historically been subject to legal or regulatory drivers that could help support a business case to fund such initiatives, limited work has been done in this space to provide ample visibility to personal data to support timely data subject right request fulfilment. However, with the continued emergence of privacy and data protection regulations globally, now is an ideal time to ‘bite the bullet’ and build a best in class data management and protection program (your future self will thank you!).
  2. Cultural norms (in some cases, enforced by policy) have only exacerbated the problem. For example, in the era of cheap data storage, many companies’ data retention practices still suggest or require that employees retain business records perpetually, regardless of business circumstances. Setting aside legal discovery concerns, the volume of data this approach creates an inventory to support DSR next to impossible. Taking the time to consider applicable jurisdictional requirements around retention and building a retention policy and schedule (enforced through cultural norms) can help organizations tackle this challenge more effectively.
Despite the growing complexity of balancing business imperatives with the need to maintain compliance across an increasing number of markets globally, now is an optimal time to revisit leading practices around data management as a fundamental building block to privacy compliance.