The Manufacturer’s Guide to Maturing Your Privacy and Data Protection Program

 

For manufacturers, a robust privacy and data protection program has transitioned from being optional to being essential.

There are currently 19 states that have enacted data privacy and data security laws, many of which are likely to impact manufacturers. There are several other states that have not yet passed or enacted comprehensive privacy laws but that have narrower legislation in effect, while some states are introducing and evaluating new privacy laws all together.

In a rapidly changing and complex privacy landscape, manufacturers must establish a compliance infrastructure and associated process to contend with individual state intricacies and data privacy regulations. We find that many manufacturers established Data Protection Governance Committees that bring together a multi-disciplinary team to ensure that the businesses are updated on this ever-changing regulatory landscape.

In Part I of our checklist, we discussed how manufacturers should approach developing a strong foundation for their privacy compliance programs. Once these steps are complete, manufacturers can shift gears to focus on maturing their programs, which is outlined in Part II of our checklist.

 

Maturing the Program

  • Does your company obtain consent to process sensitive data? Consent is permission from individuals to process their data. Most U.S. state laws require some form of consent to process sensitive data. California, for example, requires individuals to have the right to request that the business limits the use or disclosure of their personal data. It’s also important to consider that many states have different definitions of sensitive personal data.
  • Does your company have a process to conduct Privacy Impact Assessments (PIAs)? PIAs are an analysis of how your company handles personal data and can help identify and address potential privacy risks associated with projects, systems, and processes. PIAs should ask users about the project definition, the types of data that will be collected, where data will flow, and how data will be used. During the assessment, the privacy team should evaluate whether data collection and use is proportionate and define risk mitigation strategies. If the team determines that sensitive data will be collected, a Data Protection Impact Assessment (DPIA) may be required, particularly in regions outside of the U.S., and it could be necessary for the Data Protection Officer (DPO) to review and sign off on the DPIA to comply with regulations.
  • Does your Privacy team work closely with the Digital Marketing and Advertising teams? Collaboration between the privacy team and the digital marketing and advertising teams allow for effective implementation and monitoring of Privacy Impact Assessments and the development of data governance frameworks that mitigate privacy risks. Marketing and advertising, now more than ever, involve the collection and processing on personal data, and given the preponderance of U.S. laws that require cookie and tracking technology consent, it is critical for privacy to work with the digital teams.
  • Do you have a defined consumer request and monitoring process? Prior to 2018, it was an uncommon practice to respond to data subject requests. Companies in Europe established early processes to comply with local laws, but until the EU’s enforcement of the General Data Protection Regulation (GDPR) began, companies addressed these requests on an ad hoc basis. Now, many companies, including manufacturers, maintain Privacy Business Process Outsourcing (BPO) and privacy contact centers to monitor and manage data subject requests. Manufacturers should consider taking the following steps regarding data subject requests:
    • Monitor changes in regulations for consumer requests
    • Audit request types to identify gaps
    • Designate contact and escalation points
    • Standardize consumer request processes and workflows
    • Define submission methods for consumer requests
    • Implement strong identity authentication
    • Review response templates to match the current environment
    • Review timelines and data outputs
    • Evaluate response data portability formats
    • Define an appeals process
    • Update training to meet regulatory needs
  • Are you conducting PIAs on AI systems? Businesses, particularly manufacturers, are capitalizing on AI systems to streamline operations and minimize human error. However, it is equally imperative for them to employ Privacy Impact Assessments (PIAs) to ensure robust protection and management of personal data from the very inception of any project. By mandating AI systems to undergo PIAs prior to their design, businesses can systematically evaluate privacy risks and devise mitigative measures throughout the entire lifecycle of the AI models and systems.
  • Have you implemented a yearly privacy training refresher? Offering a yearly refresher course through a learning management system (LMS) can benefit the organization by keeping employees up to date on privacy best practices.
  • Does your company conduct data transfer impact assessments (DTIAs)? DTIAs are vehicles for evaluating the risks and compliance requirements associated with transferring data between companies, making them critical for manufacturers that have global operations or share data across borders. DTIAs can also enhance consumer and employee trust, particularly as regulators continue to scrutinize data-sharing practices, by demonstrating a commitment to protecting personal data.

 

Moving Forward on Maturity

This checklist can act as a guide for manufacturers seeking to uplevel their existing privacy and data protection programs. But privacy leaders should remember that these programs are never complete and are always evolving as regulations change and implementation deadlines arrive. For that reason, manufacturers must continually reassess themselves and their programs to be appropriate for their business needs and meet the regulatory standards of the states and jurisdictions in which they operate.

In our next checklist, Optimizing the Program, we’ll provide actionable steps to help manufacturers unlock the full potential of their privacy and data protection programs, including tactics like leveraging automation, adopting AI, and assessing the risks associated with marketing technology.

 

Written  by Bill Pellino and Karen Schuler. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

What our Clients Say

At Frontline, we’ve built our business on relationships. We transitioned to VSH CPAs in 2017, quickly finding alignment between our cultures, which focus on relationships and responsiveness. As we’ve  grown from a “mom and pop” to...

Drew Vandenberg, Former CFO / View Testimonial

People. When I think of VSH, it’s in regards to people. Their leadership. The entire VSH team. Our community. Their leadership empowering staff to engage in our community to make great decisions and be both great...

Guy Occhiogrosso / View Testimonial

We’ve worked side-by-side with VSH for more than 15 years, together experiencing substantial growth. Their knowledgeable skills, problem solving, and understanding of our business have helped us make better, more informed decisions. VSH runs their...

Ken and Amanda Dawson / View Testimonial

Before I helped lead a buyout of Burlington-based Eddyline Kayaks in 2017, I’d spent 15 years working in finance in Boston, Massachusetts. I was fortunate enough to work with CPAs from all of the Big...

Scott Holley / View Testimonial

50+

spirited individuals in our firm

Meet our team

25+

years building a legacy

Our History

Subscribe to VSH

Subscribe to our newsletter and stay informed with the latest news from VSH.

Subscribe