Data Privacy Workflow solutions are designed to help enforce regulatory compliance – but they shouldn’t be relied upon to enforce compliance in real time and protect your business from data leakage
In 2020, the right to data privacy continues to be a hotly-debated topic. This was highlighted by the recent launch of the California Consumer Privacy Act (CCPA) in the US, while the General Data Protection Regulation (GDPR) ushered in a new era of data privacy regulation in Europe following its introduction in 2018.
Under both, organizations have had to re-think and re-architect how they manage, store and secure their customers’ personally identifiable information (PII), which includes not only names and contact details but financial and other sensitive information.
This obviously applies to their company websites too – often a gold mine of valuable customer data. Marketers have been forced to revaluate their consent capture and tracking methods. This has never been more relevant than now with the introduction of the CCPA – giving consumers the right to request access to their data, request you delete their data or ask you to not sell their data.
Why workflow solutions aren’t enough
As a result, many marketers are looking to Privacy Workflow solutions to help manage website visitors’ data preferences. Crucially, this applies to the ecosystem of third parties that organizations rely on to improve the functionality of their websites.
The problem is that when a customer requests to have their data deleted, for example under the CCPA legislation, the organization still needs to send that data out of the control of the website to third parties in order to activate this request. From here it is then up to the third party to comply with the request as set out by the Privacy Workflow vendor.
Not only are Privacy Workflow providers taking the risk of sending a customer’s PII outside of the website, they are relying on that third party to comply with the request set out by the policies in place, which isn’t guaranteed by any means. If a third party – of which there could be hundreds on one website alone – knowingly or unknowingly fails to comply with the request, it will be your business that will be held accountable for breaking the law.
The fallout from non-compliance
There are several different data privacy risks at play with Privacy Workflows, with the two most serious being the risk of being found to be in breach of regulations and the disastrous consequences of potential data leakage.
GDPR non-compliance could result in penalties of as much as €20 million or four percent of your annual revenue, whichever is greater. With the CCPA legislation, as of January 1, 2020, organizations can now be fined up to $2,500 for each negligent violation and up to $7,500 for each intentional violation. Moreover, individuals can also seek damages of between $100 and $750, and actions can be aggregated into a class action, leaving you open to the possibility of enormous financial penalties.
In addition, the financial fallout in the event of data leakage can be devastating. At a time when incidents of data breaches have reached an all-time high, the average cost of an incident has increased to $3.92 million per breach, with lost business as the biggest contributor. If a third party caused the data breach, the cost increases by more than $370,000 for an adjusted average total cost of $4.29 million.
This is important to note as third parties are increasingly responsible for data breaches – in the US alone, 61 percent of companies have experienced a data breach caused by one of their vendors or third parties. Businesses will also have to deal with reputational damage and loss of customer trust, which can be extremely harmful.
What’s the solution?
As we’ve seen, implementing a workflow solution by itself is not enough to ensure data privacy compliance in line with the CCPA and GDPR legislation. The risks are too great to merely trust that your third-party vendors will comply with your website visitors’ requests and that your customers data is safe when it leaves your website. With your business and your reputation on the line, it is up to you to enforce your customers’ consent preferences in real time to be truly compliant.
The good news is that there is a way to enforce consent respect, eliminating the risk of non-compliance and data leakage through third parties. Ensighten’s MarSec™ platform can activate user requests in real time without taking the risk of PII leaving your company website. The data remains within your DOM and no unauthorized third parties can access sensitive customer data. Most importantly, this prevents unauthorized collection of data.
Moreover, it can be used as a standalone solution or integrated with your existing compliance Privacy Workflow vendor.
Don’t be in the dark when it comes to ensuring your customers’ data privacy. Speak to Ensighten to make sure you don’t get caught out when it comes to compliance.