Zeke Testa, Sr. Director at CYTRIO
With my background, I have had many conversations with companies that have yet to have, or do not believe they have had, a cybersecurity incident or breach. In these cases, cybersecurity is not a top priority. Multiple times, I have been told if they see an uptick in suspicious activity, they will reach out for assistance. This is a reactive model – waiting for an incident to happen, which when it inevitably does, not only moves cybersecurity up in the list of priorities, it becomes urgent. The damage, which many times is devasting, has been done and needs to be remedied amidst panic and chaos. I have seen this scenario play out repeatedly.
It is well known that cybersecurity incidents cost businesses big. How big is generally determined by the size of the company and size of the damage, which of course varies. Systems and websites are shut down with no access to data and no way of communicating. Business operations come to a screeching halt. Customers have no way of buying and revenue takes a significant hit for logistical reasons as well as reputationally. In the case of ransomware, companies pay hefty penalties.
Not surprising, how companies are approaching data privacy compliance seems to be following this reactive model. Many organizations have yet to have a Data Subject Access Request (DSAR) from a consumer. They have never had an investigation or notice from the Attorney General. They have yet to receive their first complaint about how they are handling consumer data privacy. We ask companies we interact with daily, and many times are told that if they experience increased activity related to consumer data privacy, they will be in touch.
Limited time and budget are hard realities, but if companies are not prepared for data privacy compliance, the reactive model ends up costing significantly more time and money in the long run – as we have seen in cybersecurity.
30-day right to cure window is coming to an end
Currently under the California Consumer Privacy Act (CCPA), the 30-day right to cure period allows a business to make the required changes to its data privacy policy if the business receives a request from a consumer and is not prepared, avoiding paying a penalty. If you miss that window, then you pay the fine. With the enforcement of the California Privacy Rights Act (CPRA) starting January 1, 2023, the 30-day cure period is being eliminated after an alleged violation under CCPA. There is no more window of time to make any necessary required changes.
In September, when beauty retailer Sephora was notified for violating CCPA, specifically for selling consumers’ personal information (PI) to online tracking companies without telling them, they could not remedy the violations in the 30-day window and was fined $1.2 million. Typical costs for a consent preference banner for a website are $25-$100/month. So even on the high end, the cost is only $1,200/year – significantly less than a fine. Calculating potential lost revenue from consumers who are no longer comfortable with purchasing from the company based on how they have handled consumer data is difficult to figure, but could be significant.
Why avoid data privacy compliance
We get it. Like many regulations, data privacy compliance is complicated and can be confusing. Sometimes, businesses don’t think it even applies to them, yet it does. Many companies do not have dedicated resources internally, so data privacy compliance is often delegated to multiple departments – HR, IT, security, legal, or a combination – which can further complicate getting the job done. Since it’s not one person’s responsibility, it can get overlooked.
Up until this point, many companies have been able to manage with the bare minimum when it comes to data privacy compliance. They don’t believe they have had to worry about it until it becomes an issue. That may have been ok in recent years. The window of time for using the reactive model for your data privacy compliance strategy is closing.
Now is the time to implement a proactive data privacy compliance strategy
As with cybersecurity, being proactive with data privacy compliance can save big time and money. But, where to start?
Because every department touches and has access to consumer and employee data, every department is inherently involved. Data privacy compliance must be ingrained in every company function from sales and marketing to HR and security. And because of this, a mentality shift must occur within every department, starting at the executive level, where data privacy is taken into consideration on an on-going basis, not only when an issue occurs.
This shift from a reactive strategy to proactive strategy saves companies both time and money. Take proactive steps now as multiple data privacy regulations continue to move forward. CYTRIO’s mission is helping businesses to easily be proactive now to save time and money later.
To learn how to get up and running with CYTRIO quickly to start servicing DSAR requests in minutes, visit: https://cytrio.com/product/.