Compliance is not a binary state
Compliance is generally thought of in binary terms, particularly when it comes to privacy. We often hear from clients wanting to be “GDPR compliant,” including their wish to understand how long it will take and how much it will cost. One of the first steps in our discussion with these clients is to consider compliance in a different way: not as a checklist to complete, but rather as a proclamation being made by the business that they can demonstrate evidence of compliance being achieved. I’ll explain more of what I mean below.
Checklists: convenient, but not universal
The appeal of checklists is that they easily offer a finite inventory of what you need to do to accomplish an overall objective. Businesses benefit from the use of checklists all the time (e.g., to setup a website, to hire employees, to provision access, etc.). The difficulty with checklists is that they are ill-equipped to adapt to context and often leave a business concerned with checking the box, rather than understanding how to demonstrate that they have met the requirement. No two businesses will follow the exact same path in their privacy compliance journey, so it stands to reason that checklists in this space will either be too vague or too detailed. Most often we see the former, with a vague checklist intending to apply to as many as companies and situations as possible, but lacking in any real prescriptive actions.
A great example of this in the data privacy space is privacy policies (as well as notices and statements). Many companies operate under the “checklist” idea that one must exist, and so they ask their legal team to draft one that complies with regulation. However, when it comes to actually describing what the business does and ensuring that the policy truly matches operations, most privacy policies fall short. In fact, in the hundreds of privacy policies our company has reviewed, we have found zero that exactly represent, as of that point in time, the company’s operations in accordance with their respective regulatory requirements. There are many reasons for this, but they all boil down, in our opinion, to compliance versus context. Companies are generally so concerned with complying with the letter of the law that they forget to account for the context of their unique organization and how that might influence how the law should be interpreted or applied.
Furthermore, an organization may make several decisions regarding their individual risk appetite and how much they are willing to do to comply with or exceed a regulation (and some, viewing the risk to be quite small, may forego compliance with certain regulatory clauses altogether). What your organization views as "GDPR compliant" may be different than another organization's view. So how are we to assess the true meaning of compliance if it is viewed in binary terms but applied in contextual, complex terms?
The proof is in the pudding
We advocate for any organization to approach regulatory requirements from the perspective of demonstrating their belief that their own operations, controls, and policies are effective in accordance with applicable regulation. In essence, this is the argument of complying by “letter of the law” vs. “spirit of the law” with a contextual emphasis. A company may already be practicing good data stewardship, but due to a regulatory compliance “checklist,” that same company may decide to implement new (or even redundant) processes that cost them extra time and money simply to check a box in the name of “letter of the law” compliance that, in the context of their specific operations, wasn’t needed.
For instance, GDPR requires controllers and processors of personal information to maintain a data protection agreement (DPA) that govern the processing and protection of personal information shared between the parties. Clients often lament about the time and effort involved in determining a listing of vendors to send the addendums to, the potential for vendors to have questionnaire fatigue, and a general lack of awareness of such a requirement. However, these same clients are often already managing a cybersecurity assessment process with their vendors that follows a similar cadence and set of steps to complete. Rather than develop a new distribution list, new questionnaire/addendum format, and new process for handling the information, clients can simply insert privacy-based assessment or addendum requirements into a combined privacy/cybersecurity distribution process.
In doing so, the business can leverage an already-managed process and supporting infrastructure, while also consolidating communications with vendors and reduce the amount of back and forth required to address new obligations over time. While the ever-shifting landscape of privacy regulation can feel like a painful guessing game, we consistently find that organizations may already have what they need to address new requirements through a simple pivot or integration of systems and processes, rather than treating each new requirement as a standalone project. Seeing these opportunities begins with assessing new regulations through the lens of your distinct organization and operations. No matter how large or small the change, chances are that there are efficiencies to be gained – you just have to look carefully.
If you’re interested in learning more about our compliance approach or having us assess your organization for readiness with various regulatory challenges, please reach out to Cadence Privacy Consulting and we’ll be happy to work with you!
