This post relates to Cooley’s US Privacy Compliance Journey – webinar series presenting a holistic roadmap to compliance with a new generation of US privacy laws starting to take effect on January 1, 2023, including the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act. The series highlights the steps that businesses should be taking during each quarter of 2022 to stay on pace and complete compliance efforts by the deadline. Sessions will occur on a quarterly basis throughout 2022.
With the passage of new state privacy laws slated to take effect in 2023, organizations are increasingly focused on identifying necessary steps to comply with these new laws. One of the first key steps in the compliance journey is to get a good understanding of the current and near-term state of an organization’s data collection, use and transfer. This is done by performing the due diligence and data mapping necessary to identify the organization’s data flows and practices. In addition, this is also an opportunity for the organization to identify any compliance gaps under the new laws, as well as for the compliance program to stay in step with the business by identifying likely near- and medium-term changes to the business’ collection, use and transfer of personal data in order to build those data flows into the new solutions being developed.
Data mapping is not a one-size-fits-all exercise but rather something that needs to be tailored to a company’s size, scope of data collections, sophistication, resources and various other factors. With that in mind, we recommend that organizations begin the process by developing a strategic plan to appropriately approach the scope and timeline for the diligence phase in order to optimize resource use, including time. We work closely with clients on developing these strategic plans for diligence and have outlined some key considerations below.
Overall scope and purpose of the data mapping
An important first step is coming to a consensus on the intended use and scope of the data maps themselves. In some cases, these maps may be intended to address only a specific state or state law; however, many organizations use the opportunity to inform a broader perspective on their data processing activities, including to update existing data maps or records of processing activities created during the organization’s EU/UK General Data Protection Regulation (GDPR) compliance efforts. Additionally, when developing the scope and allocating resources of the data mapping, organizations should also consider other potential ancillary benefits of data mapping —for example, the identification of key vendors that process personal data and where sensitive data is stored can benefit a company’s cybersecurity preparedness.
Level of detail included in the data mapping
Once the overall scope and purpose of the data mapping is determined, organizations should next decide how detailed the data maps should be in light of the intended goals. The key consideration is ensuring that the organization is making efficient use of resources in light of the overall data mapping objective. Some options include limiting the data maps to only key personnel, databases, providers and data flows within a particular region or expanding the level of detail in the maps by incorporating a broader geographical footprint or additional ancillary data flows.
Mechanics of the data mapping
After identifying the desired scope and level of detail, the organization should identify how best to collect the necessary information from stakeholders to complete the data maps. As with the previous considerations, the form of data collection can be tailored based on the resources and needs of the organization. In many cases, an organization may choose to leverage existing resources and artifacts compiled through previous compliance efforts, such as existing records of processing activities prepared for GDPR compliance, data maps leveraged in California Consumer Privacy Act (CCPA) compliance efforts, or more general system or asset mapping performed by the organization’s information technology or information security resources.
In order to collect the necessary information for these maps, we generally suggest that organizations start by identifying key internal resources (e.g., operations, IT, sales and marketing teams) and external resources (e.g., important service providers and vendors) that will need to provide information. Once the key resources are identified, consider the best method for collecting all necessary information. For small organizations, this may be as simple as organizing in-person meetings and/or compiling data into shared documents, whereas for large organizations, it may be more practical to leverage project management tools and resources and retain outside consultants to help collect information using interviews or written questionnaires.
Once the data mapping is complete, organizations should focus efforts on assessing and identifying key compliance gaps to address. Because many organizations may lack the necessary resources to address all identified gaps concurrently, it can be helpful to prioritize efforts to address the higher risk and more externally facing requirements first. The main areas most organizations focus on include assessing:
- Whether and to what extent gaps may be addressed by modifying existing practices or data flows
- Necessary additions or updates to privacy policies or statements
- Updates to website content to address “do not sell” and “do not share” requirements (which may include implementing a cookie management platform)
- Revisions to commercial contracts to incorporate required statutory language and data use and sharing restrictions, where appropriate (especially those with key partners and vendors)
- Reviews and updates to the organization’s policies and procedures for receiving and responding to consumer requests
An important element of the gap analysis is to take steps designed to ensure that the analysis and its output are subject to legal privilege. We work closely with clients on these issues, as there may be a future risk of having to disclose the gap analysis if it is not conducted in a manner that provides the protections of legal privilege.
Once the higher priority items are complete, consider addressing additional obligations such as:
- Preparing or updating data retention policies and procedures
- Updating lower priority vendor/partner agreements
- Performing internal risk assessments
- Optimizing or automating policies and procedures for receiving and responding to consumer requests
- Conducting employee privacy and security training
- Reviewing and updating security measures (technical, administrative and physical)
- Preparing or updating formalized written information security policies
- Preparing or updating the incident response plan and procedures