For manufacturers, a robust privacy and data protection program has transitioned from being optional to being essential.
There are currently 19 states that have enacted data privacy and data security laws, many of which are likely to impact manufacturers. There are several other states that have not yet passed or enacted comprehensive privacy laws but that have narrower legislation in effect, while some states are introducing and evaluating new privacy laws all together.
In a rapidly changing and complex privacy landscape, manufacturers must establish a compliance infrastructure and associated process to contend with individual state intricacies and data privacy regulations. We find that many manufacturers established Data Protection Governance Committees that bring together a multi-disciplinary team to ensure that the businesses are updated on this ever-changing regulatory landscape.
In Part I of our checklist, we discussed how manufacturers should approach developing a strong foundation for their privacy compliance programs. Once these steps are complete, manufacturers can shift gears to focus on maturing their programs, which is outlined in Part II of our checklist.
Maturing the Program
- Does your company obtain consent to process sensitive data? Consent is permission from individuals to process their data. Most U.S. state laws require some form of consent to process sensitive data. California, for example, requires individuals to have the right to request that the business limits the use or disclosure of their personal data. It’s also important to consider that many states have different definitions of sensitive personal data.
- Does your company have a process to conduct Privacy Impact Assessments (PIAs)? PIAs are an analysis of how your company handles personal data and can help identify and address potential privacy risks associated with projects, systems, and processes. PIAs should ask users about the project definition, the types of data that will be collected, where data will flow, and how data will be used. During the assessment, the privacy team should evaluate whether data collection and use is proportionate and define risk mitigation strategies. If the team determines that sensitive data will be collected, a Data Protection Impact Assessment (DPIA) may be required, particularly in regions outside of the U.S., and it could be necessary for the Data Protection Officer (DPO) to review and sign off on the DPIA to comply with regulations.
- Does your Privacy team work closely with the Digital Marketing and Advertising teams? Collaboration between the privacy team and the digital marketing and advertising teams allow for effective implementation and monitoring of Privacy Impact Assessments and the development of data governance frameworks that mitigate privacy risks. Marketing and advertising, now more than ever, involve the collection and processing on personal data, and given the preponderance of U.S. laws that require cookie and tracking technology consent, it is critical for privacy to work with the digital teams.
- Do you have a defined consumer request and monitoring process?Prior to 2018, it was an uncommon practice to respond to data subject requests. Companies in Europe established early processes to comply with local laws, but until the EU’s enforcement of the General Data Protection Regulation (GDPR) began, companies addressed these requests on an ad hoc basis. Now, many companies, including manufacturers, maintain Privacy Business Process Outsourcing (BPO) and privacy contact centers to monitor and manage data subject requests. Manufacturers should consider taking the following steps regarding data subject requests:
- Monitor changes in regulations for consumer requests
- Audit request types to identify gaps
- Designate contact and escalation points
- Standardize consumer request processes and workflows
- Define submission methods for consumer requests
- Implement strong identity authentication
- Review response templates to match the current environment
- Review timelines and data outputs
- Evaluate response data portability formats
- Define an appeals process
- Update training to meet regulatory needs
- Are you conducting PIAs on AI systems? Businesses, particularly manufacturers, are capitalizing on AI systems to streamline operations and minimize human error. However, it is equally imperative for them to employ Privacy Impact Assessments (PIAs) to ensure robust protection and management of personal data from the very inception of any project. By mandating AI systems to undergo PIAs prior to their design, businesses can systematically evaluate privacy risks and devise mitigative measures throughout the entire lifecycle of the AI models and systems.
- Have you implemented a yearly privacy training refresher? Offering a yearly refresher course through a learning management system (LMS) can benefit the organization by keeping employees up to date on privacy best practices.
- Does your company conduct data transfer impact assessments (DTIAs)? DTIAs are vehicles for evaluating the risks and compliance requirements associated with transferring data between companies, making them critical for manufacturers that have global operations or share data across borders. DTIAs can also enhance consumer and employee trust, particularly as regulators continue to scrutinize data-sharing practices, by demonstrating a commitment to protecting personal data.
Moving Forward on Maturity
This checklist can act as a guide for manufacturers seeking to uplevel their existing privacy and data protection programs. But privacy leaders should remember that these programs are never complete and are always evolving as regulations change and implementation deadlines arrive. For that reason, manufacturers must continually reassess themselves and their programs to be appropriate for their business needs and meet the regulatory standards of the states and jurisdictions in which they operate.
In our next checklist, Optimizing the Program, we’ll provide actionable steps to help manufacturers unlock the full potential of their privacy and data protection programs, including tactics like leveraging automation, adopting AI, and assessing the risks associated with marketing technology.
How BDO Can Help
Interested in improving your privacy compliance program to better fit your business needs? BDO can help.
At BDO, we have deep industry experience and can help manufacturers get their data privacy programs on track no matter what stage they are in: foundational, mature, or optimized.
With a scalable and customized approach, we will work with your organization to assess your current program based on our 12-step modular framework. Our integrated suite of services can help you address every element of privacy, data governance, analytics, crisis management, insurance response, cybersecurity, and risk management, thereby strengthening your company’s compliance posture.
We use Privacy ‘by Design’ and ‘by Default’ and Data Protection ‘by Design’ and ‘by Default’ approaches so that you can feel confident in your organization’s ability to establish — and enhance — your program in a way that protects the integrity of the data you collect now and in the future.