CISO Robb Reck is working against the clock.
As security leader at Ping Identity, a Denver-headquartered software company, Reck oversees the company's efforts to comply with the California Consumer Privacy Act (CCPA) before the mandate's Jan. 1 deadline.
Reck, however, has done a lot of the heavy lifting already. He brought his company into compliance with the European Union's GDPR that took effect in 2018.
"The process for achieving GDPR compliance was challenging and valuable. It brought activities into security purview that hadn't been before, including things like marketing data flows, lead generation and details on contractual agreements for conference sponsorships," Reck said.
The laws have prompted other more far-reaching changes within Ping, too, Reck added.
"The rise of privacy regulations has had a big impact on Ping Identity's [governance, risk and compliance] activities," he explained. "These changes drove us to formalize our own privacy program, dedicate ongoing resources to that program and embed privacy into numerous key data flows throughout the company."
GDPR, CCPA and the growing list of similar regulations have many companies scrambling to meet the future of data privacy and security obligations outlined by these laws.
Some companies, however, are going further. They use these laws as a foundation to build or strengthen data governance programs that inspire trust among customers who are increasingly concerned about how their data is being handled. In fact, compliance experts credit GDPR and other emerging rules with having a strong influence on data governance, risk and compliance programs at a number of organizations.
"These laws are forcing companies -- particularly companies that handle a lot of data or have revenue streams from customer data -- to look at the data they have, how they're storing it and how they're processing it. That's good for the companies, and that's good for consumers," said Heather Engel, founder and managing partner of Strategic Cyber Partners.
Both GDPR and CCPA seek to rein in what companies can and cannot do with personal information. They are the start of what many experts expect will be an onslaught of regulations that will define the future of data privacy and security standards for organizations across industries. Most organizations find it challenging to meet existing requirements -- let alone future ones that could be even more stringent. A recent survey from the International Association of Privacy Professionals (IAPP) and EY found that most organizations do not currently meet all their legal data privacy requirements. The "IAPP-EY Annual Privacy Governance Report 2019," released in September, found that, of the 370 privacy professionals surveyed whose organizations fall under GDPR jurisdiction, only 9% said they are fully compliant with the law. Some 36% said they're very compliant, 42% moderately compliant and 12% somewhat compliant. Only 1% said they are not compliant at all. Engel and other privacy experts said many organizations aim to meet only the minimum standards. Organizations see data privacy and security as a check-the-box-type exercise rather than a chance to establish a comprehensive data governance program, she said.
