For companies everywhere, Covid-19 has expedited digital transformation at almost unimaginable speed. In an effort to survive and get back to business safely, companies have rapidly adopted services such as contactless payment, click-and-collect applications, and enhanced customer relationship management. These transitions are vital for business to continue, but each also introduces new risks. For every business that shifts operations online, there are potential privacy pitfalls that will prove very damaging if mismanaged, and as new regulations are set to go into force in the United States, the stakes for getting this pivot right are higher than ever before.

Across industries, teams with expertise in real-world spaces are rushing into digital ones where they’re novices and pumping huge amounts of user data into new systems. In the restaurant industry, establishments are scrambling to build new online ordering and delivery infrastructure or to partner with companies who already offer those services. In higher education, institutions faced with missing out on a year’s tuition fees are rapidly migrating their entire curriculum online, and rushing to digitize everything from online teaching to student health records. In the live events space, production veterans are being asked to migrate their well-established processes online and into new cloud technologies. In each case, these changes carry the risk that reams of personal data will be mismanaged and vulnerable to exposure.

 

This situation raises two major challenges for many businesses: First, they need to make quick decisions on procuring new technology: building online storefronts, implementing communications platforms that process customers’ personal data, and more. Second, they lack experience with data processing infrastructure, or even technology in general. That adds up to teams making quick decisions on the use of technology systems they don’t know much about. There might be an understandable temptation to treat privacy concerns as a secondary issue — one that can be addressed after the immediate crisis — but that would be a mistake, and one which would place companies at elevated risk of monetary fines, class-action lawsuits, and PR headaches.

There’s been growing regulatory pressure on both sides of the Atlantic. The General Data Protection Regulation (GDPR) in Europe, which was implemented in May 2018, and the California Consumer Privacy Act (CCPA) in the United States, which becomes enforceable by law on July 1 (impacting any company with a presence in California and over $25 million in annual revenue), contain stringent protocols for the management of user data, and both threaten steep fines for businesses that get data wrong. Particularly in the United States, there’s little reason to think that regulators will meaningfully relax standards because of the pandemic. California Attorney General Xavier Becerra has been unambiguous in his intent to press forward on implementing CCPA, stating: “We’re committed to enforcing the law starting July 1. We encourage businesses to be particularly mindful of data security in this time of emergency.”

The good news is that managing privacy concerns doesn’t have to be yet another daunting task on top of the already Herculean feat of moving large parts of your business online. There are a number of simple, meaningful steps you can take to minimize the risk of a privacy breach. To make your rapid digital transformation as safe as reasonably possible in the coming months, consider implementing these privacy-focused measures. Each can be done independently, but if your business can tick all four of these boxes, you’ll greatly mitigate privacy risk:

1) Be Mindful of How Your Vendors and Partners Use Customer Data

Businesses may be tempted to rush into contracts with third-party vendors who promise “plug-and-play” solutions to a number of digital transformation challenges. And while companies may be aware that they must review any Data Processing Agreements (DPA) during procurement, there is a tendency to underestimate the consequences of skipping this step. Under CCPA and GDPR, a business can be held financially liable for failure to perform due diligence on third parties that process customer data — in fact, this was the scenario that led to Marriott Hotel Group being fined $123 million by ICO in 2019.

Your key focus when reviewing vendor DPAs should be ensuring they’re privacy compliant and that their data policies align with your business’s stated data policies — otherwise a business runs the risk of violating their own privacy policy. Additionally, check the language about subcontractors in any vendor DPA. There should be assurance that vendors won’t subcontract to another processor unless explicitly instructed by your business to do so. This ensures your business is legally protected if a vendor unilaterally offloads data duties to a non-compliant third party.

2)  When Processing Data, Perform Impact Assessments To Monitor Risk

Impact assessments for data processing are required in many cases by GDPR, but not required by the CCPA. However in times of frenetic change, implementing basic risk assessments for data activities — however tedious — forces businesses to think critically before making a potentially damaging decision on issues like data storage, subcontracting, and more. Furthermore, in the event of being charged with a privacy violation, a paper trail demonstrating proactive steps to mitigate risk reads favorably to regulators.

The UK’s Information Commissioner’s Office provides a free data protection impact assessment template that will set your business on the right track to accurately assessing privacy risk, whether you’re based there or not.

3) Strive for Clarity in Your Privacy Policies

As key stakeholders reevaluate privacy policies ahead of CCPA enforcement, consider how the document reads. Your goal is to make this policy accessible to all of your customers — not just those fluent in legalese. You might think you’re covering yourself by including phrases wide open to interpretation to prepare for any future regulatory requirement, but your priority should be to help your increasingly privacy-savvy customers understand your policy and trust your company. Slack’s privacy policy shows that thoroughness doesn’t have to come at the expense of clarity for readers.

4) Designate a Data Protection Officer (DPO)

No matter a business’s size, centralizing responsibility for data decisions is preferable to diffusing responsibility across multiple departments. That is truer than ever during times of rapid change. DPOs serve as a focal point for privacy concerns within an organization and a vital liaison to regulatory bodies while the character of privacy law enforcement remains ambiguous. Even if the person lacks privacy experience, empowering a single set of eyes to focus on privacy is a quick, cost-conscious way to de-risk.

As stated at the outset, managing rapid digital transformation well can require taking risky action. But in the current climate, depending on regulatory largesse is an unnecessary risk for businesses when they can take simple, process-driven steps to shore up privacy.

Data privacy implementation exhibits many features of the economist’s “time inconsistency” dilemma – it’s too soon to do it until it’s too late. And as we’ve seen in the last few weeks, “too late” can mean a serious stumble at a critical business juncture.