(7 min read)
If data is money, it’s often left sitting out in the open.
Ascent founder and CEO Brian Clark has a hypothetical question he often likes to ask new people when meeting them: If you were given a giant bag of money, what world problem would you solve?
Homelessness, poverty, world hunger — there are ample crises to choose from. But what Brian’s really interested in is your answer to his second question: If that bag of money were then taken away, and you were instead given a giant bag of data, what problem do you solve now and how do you do it?
The implication, of course, is that ultimately the two bags equate to the same thing. They’re both resources. And as technology has revolutionized our ability to capture and analyze huge troughs of data, big data has in turn become an increasingly powerful resource and disrupted industry after industry.
And much of that disruption has come at a price.
Facebook, Equifax, Yahoo! — these are just a few of the massive data breaches that have happened over the last handful of years. As companies have collected more and more data, they have not always taken the proper precautions to protect that data. In the terms of our original analogy, if data is money, it’s often left sitting out in the open.
As a result, we have seen a number of large new data privacy regulations come into play recently, with many more on the horizon. Like all things related to big data, these regulations have been extremely hefty, sometimes to the point of seeming overwhelming. But we would argue that they don’t have to feel this way.
In this article, we dig deeper into the rise of data privacy regulation, examining the major new regulations that have recently come into play, the way these regulations are transforming the compliance function, and how RegTech can help transform them from overwhelming obstacles into exciting opportunities.
READ CASE STUDY: How a Global Top 50 Bank Secured Its GDPR Obligations Using Ascent
GDPR: The Game-Changer
The modern age of data privacy regulation was ushered in by four letters: GDPR. The first significant update to Europe’s data protection rules since the 1990s, GDPR (or, the General Data Protection Regulation) serves as both the core of Europe’s digital privacy legislation and as the benchmark the rest of the world began comparing their data privacy policies against.
First introduced in 2012 and then argued over until it was adopted in 2016, GDPR finally came into effect in May of 2018. The regulation was revolutionary for its emphasis on citizens’ rights. It was designed to give EU citizens control over their personal data, as exemplified by the eight rights for individuals within the regulation. These rights include giving EU citizens easier access to data companies hold about them, laying out fines for the failure to do so, and requiring companies to receive consent from individuals before collecting their data.
There are many more details to the 99 articles in the regulation, but it’s these individual rights that caught a lot of public attention, both for the burden they placed on companies and the pop-up banners they created on our web browsers.
GDPR came to seem so ubiquitous because its obligations applied not only to companies headquartered in the EU, but to any company gathering the personal data of an EU citizen. In the borderless age of the internet, this more or less meant any company with a website that tracked any information about its visitors
Of course, the EU wasn’t likely to chase down every mom-and-pop shop around the world that failed to comply with GDPR regulations. But the breadth and depth of the legislation acted as a standard-bearer, telling companies and countries it was time to update data privacy regulation for the twenty-first century. It would only be a matter of time until other countries followed suit.
CCPA: GDPR Hops Across the Pond
That most notably and recently happened in the US with the California Consumer Privacy Act (CCPA). The CCPA, which was just implemented at the beginning of this year, brought similar GDPR-like obligations to the US, including consumer rights related to the disclosure of personal information and requests for personal data.
The CCPA affects a significant number of companies. It applies to businesses that either exceed a gross revenue of $25 million, gain 50% or more of their annual revenue by selling consumer’s personal information, or that buy, sell, receive, or share personal information of 50,000 or more consumer households.
Like GDPR, the CCPA is similarly focused on consumer rights, including a section known as data subject requests, which grants users the right to access or delete the personal information a company may have about them.
And — just as GDPR acted as the data privacy blueprint for the rest of the world — the CCPA is acting as the blueprint for the rest of the US. A number of other states are quickly catching up:
- Washington State currently has a bill with requirements and fines drawn straight from the CCPA currently working its way through the state senate and house.
- New York, in typical coastal one-up-manship, recently introduced an even more comprehensive bill into its state senate, which disregards the CCPA’s revenue requirement for covered entities.
- Nevada actually implemented privacy legislation a few months before California, but its definition of “sale” resulted in a law that was narrower and more lenient on financial institutions.
The Changing Role of the Compliance Officer
The above litany of legislation, without any guiding federal framework, is a significant challenge for companies, especially those transacting business across the country. This patchwork of regulation means, for simplicity’s sake, companies often have to comply with the strictest requirements of any one regulation, even if it doesn’t necessarily apply to all the states where they are doing business. That is, of course, assuming companies and Compliance Officers can keep up-to-date on the waves of new regulation constantly being released and updated.
But in another light, these new data privacy regulations actually represent an opportunity for Compliance Officers.
These regulations could help raise the visibility of the compliance role at companies, especially those that might have dismissed data privacy as not relevant to their day-to-day. That’s because compliantly following these privacy regulations is going to require companies to make real changes in their policies and procedures and in their corporate culture — all of which are crucial aspects of the compliance role.
As companies update and overhaul internal procedures accordingly, Compliance teams will need to play an integral role in developing business processes to ensure that personal data is being managed compliantly.
But for Compliance teams to do that, they will somehow need to keep current with the massive amount of new regulations being rolled out and find a way to quickly and concisely understand how those regulations relate to their policies and procedures. Between the hefty laws already in place and the long list of those in process, this can seem like an insurmountable task.
Technology, though, provides a path forward.
READ ARTICLE: How Your Peers in Financial Services are Tackling 3 Big Compliance Issues
RegTech Offers the Key to Data Privacy Regulation
RegTech (Regulatory Technology) is an emerging industry of companies leveraging machine learning, natural language processing, blockchain, AI, and other technologies to solve the challenges of regulatory compliance. These technologies offer a way to leverage the big data of regulatory compliance to help solve the problems of data privacy regulation.
In a recent case study, one global Top 50 bank tried to identify its obligations under GDPR within one of its business units. The bank had a lack of clarity around which aspects of GDPR it was required to follow, and it attempted to solve this problem via a traditional solution: hiring a consulting firm.
The consulting firm, though, proved expensive and inaccurate. The firm missed a number of obligations and the bank was forced to hire a second consulting firm to correct those initial mistakes — adding duplicative costs. It was in the midst of this frustrating process — causing costly mistakes and creating continued regulatory uncertainty — that the bank decided to try a different approach.
The bank partnered with Ascent, an AI-powered compliance automation solution. At Ascent, our proprietary RegulationAI™ technology generates the obligations that apply to our customers, helping banks and other financial firms reduce risk and gain confidence in their compliance programs.
RegulationAI™ was able to generate a complete obligations register in mere minutes and at a 99% cost savings. This technology — a true innovation in RegTech — leverages machine learning and natural language processing to ingest hundreds of regulations and then rapidly determine which obligations apply to your business — with zero manual effort from you.
Rather than the time-consuming, expensive, and inaccurate results it had received before, the bank now had all its obligations in an easy-to-read digital format, produced with significantly lower risk of human error.
READ ARTICLE: How Ascent Simplifies Regulatory Change Management with Automation
Secure Your Obligations with Ascent.
The complexity of data privacy regulation is likely only going to increase in the future. But you don’t have to drown in regulation. Ascent can help you leverage technology to make this fast-paced world of digital disruption work for you.
LEARN MORE: Click here to learn about Ascent Solutions
Want to receive more articles like these? Subscribe to our monthly Cliff Notes newsletter.