I had the chance to interview Daniel Barber, CEO and Co-founder of DataGrail. DataGrail is a purpose-built privacy management platform that ensures sustained compliance with the GDPR, CCPA, and forthcoming regulations. Their customers span a variety of industries and include Databricks, Plexus Worldwide, TRI Pointe Homes, Outreach, Intercom, and SaaStr. Daniel and I spoke about the lessons we’ve learned one year on from GDPR and how companies can apply those lessons as they think about CCPA and laws like Nevada’s SB 220.
Prof Solove: Given it has been one year, what do you think are the biggest learnings from GDPR that companies should take into consideration as they ready themselves for U.S. privacy regulations?
Daniel Barber: We recently conducted a survey of 300 legal and privacy professionals to evaluate the impact of the GDPR on their organizations and understand how they’re preparing for U.S. regulations. Half of all surveyed companies self-reported missing the May 25, 2018 GDPR deadline, and most took seven months or longer to achieve compliance. Over a year later and only months until Nevada’s SB 220 and California’s CCPA deadlines, most privacy professionals have started preparing again but admit their systems won’t scale with new privacy regulations. If we learned anything it’s that a successful privacy management program requires a new approach in both culture and technology, and plenty of lead time to implement both.
Prof Solove: In your opinion, who needs to be involved in a privacy compliance program from an organization?
Daniel Barber: It’s a good question that I see organizations still trying to figure out. We had an in-house counsel tell us once, “people think privacy is a legal problem, but it’s really everyone’s problem.” So although we talk to legal and security teams daily, we’re being brought in by marketers and operations teams frequently as well. Privacy programs need to encompass a three-pronged people, practices, and platform approach to ensure continuous compliance.
Prof. Solove: Your survey revealed that many organizations are struggling to comply with the GDPR. What are some of the problems?
Daniel Barber: We’ve seen nightmare scenarios where companies are managing privacy management in spreadsheets and manually updating new systems based on word-of-mouth or departmental surveys. Not only is this a tedious job for someone in the organization to own, it’s also risk-prone and unscalable. I think we’ll see more and more organizations turn to technology to reduce risk and allow their employees to refocus on their core business rather than the noise of ever-changing regulations.
Prof Solove: What’s the number one piece of advice you have for companies readying themselves for CCPA and forthcoming U.S. regulation?
Daniel Barber: Above all, prepare your team for a cultural and technology shift. Privacy is here to stay, and there will be a global standard, similar to what we see with industry standards like ISO or HIPAA for healthcare. Right now we’re seeing regional regulations pop up, but companies who get ahead of the game and prepare now will be in a better position as larger federal and global regulations come onto the scene. Companies that build the foundation now, particularly with scalable systems and processes, will provide trust and transparency for their customers.
Prof Solove: In your survey, more than half of the respondents said that they had 20 or more people involved in a single data subject request. This is quite stunning. What are the implications of this finding?
Daniel Barber: We must apply more innovation and technology to compliance. There’s an enormous potential for human error in compliance. But compliance doesn’t need to be complex. When founding DataGrail, we aimed to provide a real-time inventory of systems containing personal data, the foundation for a truly effective privacy program. Without an integrated approach, there’s a significant risk of human error. We merge secure identity and privacy management to automate a lot of work that was previously done manually and prone to human error. It really is possible to simplify and automate some of the most challenging aspects of privacy compliance.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.