Articles

What Osano does to stay compliant

Written by Matt Davis, CIPM (IAPP) | September 22, 2022

In many ways, we’re fortunate — data privacy compliance is at the heart of our business at Osano. So, when we spend time working on our compliance program, we’re also working on our underlying business to an extent.

But for thousands of other businesses, data privacy compliance is a complicated process that isn’t necessarily an essential part of their operations. And somehow, they have to become compliant without diverting too many resources from their day-to-day operations.

That’s why the Osano team decided to share how we stay in compliance with data privacy laws.

We hold ourselves to a higher standard than is required by law, so most organizations won’t have to completely emulate our own compliance program. But hopefully, our compliance activities can serve to inspire your own at your organization. Let’s jump in.

How we approach data privacy compliance with a given law

Osano is compliant with all of the major data privacy laws, like CPRA, GDPR, PIPEDA, LGPD, PIPL, and more, but let’s say a country establishes a new data privacy regulation tomorrow. If we want to serve that region, we’ll need to both become compliant with the law ourselves and determine the best way to enable our customers to become compliant.

To do that, we would:

  • Research the law
  • Observe the compliance activities of similar businesses in the market
  • Consult with local counsel

It’s important to take a multi-pronged approach to researching a data privacy law. Understanding the letter of the law is a must, but it’s also important to see what data privacy compliance looks like in practice. Thus, the expertise of local legal experts is indispensable. They’ll best understand how the law is interpreted in their local legal system and what the major implications of that law are. We also think it is important to understand how other companies are approaching the regulatory landscape.

Without understanding the law, what it looks like in practice, and the context in which it resides, a business can’t say that it truly understands its compliance requirements.

This helps to inform how we need to approach consent management in that region, what the DSAR process is like if the law has one, contractual adjustments we’ll need to make to serve customers in that region, data governance practices we’ll need to adopt, and how to manage a host of additional compliance needs.

Regular monitoring keeps us in the loop

While initial due diligence into a data privacy regulation is important, it’s even more important to regularly review the data privacy landscape and plan accordingly. Here’s how Catherine Dawson, our General Counsel and Chief Privacy Officer, stays informed.

“I spend about 45 minutes each morning just looking at the landscape to stay abreast of any changes. So, that’s anything that’s in the headlines that day, and if something catches my eye, I’ll look into more,” says Catherine. “I also set aside an afternoon every week to review court cases out of Europe, any decisions or guidance from data protection authorities, and the like. It’s a deeper dive than my daily review.”

“I also have a monthly compliance call with Scott, our CTO, to make sure we’re not collecting personal information in a new and different way. That could be whether there are new cookies on the website to be aware of, or new features that will be rolled out in the app — anything that needs to be accounted for in our RoPA, our privacy policy, or our terms of service. This monthly meeting isn’t a static look back into what we’ve already done, either. We also look ahead to things happening this quarter or this year, things that we need to plan to do a DPIA [data protection impact assessment] around.”

“And then I also have a monthly call with our EU counsel. That’s really just to make sure that nothing’s fallen through the cracks and that we’re staying up to date with the latest privacy news coming out of Europe.”

Why all this review?

Between a daily skim of the news, a weekly deep dive, a monthly report and planning call, and a monthly check-in to Europe, Catherine spends a considerable amount of time staying in the loop with the goings on of the data privacy world.

“The important thing to note,” says Catherine, “is that compliance programs are, by their very nature, constantly evolving. You should be constantly thinking, ‘This would be a good thing to be tracking, are we adding new tools that add PII [personally identifiable information] in a different way,’ and so on.”

Not only are data privacy laws constantly changing, but your business is constantly changing too. Your data privacy compliance program must constantly evolve to keep up. Catherine makes review a significant part of her duties in recognition of this fact.

The specific activities in our data privacy compliance program

That being said, monitoring and review is only useful if it translates into action. Here are some examples of the compliance activities we engage in on a regular basis.

Consent management

Consent management lies at the heart of our platform — naturally, we use it to manage our own website’s consent requirements across jurisdictions.

Our legal and product teams rigorously research consent management requirements for every country with a data privacy law on the books. Some areas require opt-in consent, opt-out consent, specific language, certain links, specific types of consent for special categories of personal information — there’s a huge range of variety in requirements. And these requirements can change, too. That’s part of why we keep a close eye on current events in the data privacy world.

Once we know what a given jurisdiction requires, our product team develops a compliant cookie banner based on the region associated with a website visitor’s IP address, which is automatically displayed using the Osano consent management platform (CMP). Then, based on their consent preferences, our CMP blocks or permits data trackers accordingly. We store consent on Amazon’s Quantum Ledger Database so we can act on a visitor’s consent preferences in the future and demonstrate our compliance should a data protection authority ask for our records.

Naturally, we use the exact same CMP as our customers to manage consent.

Records of Processing Activity

A Record of Processing Activity (or RoPA) is essential for any business aiming to become compliant. In essence, a RoPA is a snapshot of all the data processing activities that take place at your organization. That includes where your data lives, what kind of data is being processed, who is responsible for the data, what it’s being used for, how long it can be retained, and so on.

Strictly speaking, a RoPA is only required by the GDPR. However, it informs all of the compliance requirements that other data privacy laws have. With a RoPA in place, Osano is better positioned to respond to DSARs, self-audit, update our policy documents, and generally be confident that we’re following the law to the best of our ability.

Our RoPA — as any RoPA should be — is a living document. As our data processing activities change, we update it on a regular basis. Even if we’re certain nothing’s changed since our last review, we make sure to still go through the exercise of updating our RoPA since it’s an excellent way to ensure nothing slips through the cracks.

Privacy policy updates and reviews

Because we regularly review data privacy developments both externally (such as legislative updates) and internally (such as data processing activities captured in our RoPA), we know when there’s been a change that requires a revision to our privacy policy

It’s both ethical and compliant to keep the public informed about our data processing activities and their rights in regard to their data. We make sure that information is disclosed to them appropriately in our privacy policy and that any new disclosure requirements are swiftly met.

DSARs

Because we are subject to the GDPR, CPRA, and similar laws requiring DSARs, we ensure our data subjects are informed about and able to exercise their rights. 

While it’s perfectly compliant to handle DSARs through emails and spreadsheets, we use the Osano Subject Rights Management and Data Discovery products to handle DSARs. That means we have a secure messaging portal for data subjects to make their request, which has the added benefit of requiring identity verification and limits requests to those enumerated in the relevant data privacy law. This cuts down on spam and vexatious requests.

Using Osano’s Subject Rights Management and Data Discovery tools also ensures our workflow is consistent and automated. Having recorded where our data lives and how it flows throughout the organization in our RoPA, it’s straightforward to add that information into the Subject Rights Management and Data Discovery tools.

Because of this, we know exactly which data stores to look in when a data subject requests access to their data. Osano automatically informs the relevant data store administrator what actions they need to take and what fields they need to update in order to complete the request. Once the request is completed, we use our secure messaging portal to respond to the data subject with the appropriate information.

Even if a data subject doesn’t live within a jurisdiction with DSAR requirements, we still oblige their requests. There are a few reasons why we honor DSAR requests even though we don’t strictly have to. This way, we:

  • Minimize the risk of erroneously refusing a DSAR in case we mistake the data subject’s geolocation or the law changes
  • Demonstrate the respect we have for all of our customers' (and all people’s) data privacy rights — whether those rights are enumerated in a law or not
  • Simplify our screening process and DSAR workflow

Contractual updates

Because we’re always monitoring the latest developments in data privacy, we’re alert to when we need to make a change in our contract portfolio.

For example, we already had a data privacy addendum (which is incorporated by reference into our Terms of Service) in place in order to comply with the GDPR; when the CCPA and CPRA created new requirements for contractual arrangements with third parties, we were quick to update that document.

This was a relatively simple change to make since the bulk of the addendum applies to all contracts equally. That isn’t always the case when it comes to contractual updates. For instance, we had to reach out to counterparties early and proactively to incorporate the new standard contractual clauses (SCCs).

For context, SCCs are required when importing data out of the EU. The old set of SCCs was declared invalid by the Court of Justice of the European Union (CJEU), and a new set was introduced on June 27th, 2021. Businesses had until December 27th, 2023, to incorporate the new SCCs. These SCCs need to be tailored to the specific relationship a business has with their counterparty, which means a business might need to repaper potentially thousands of individual contracts. 

It’s a good example of why paying attention to data privacy news is so important. Because we knew switching to the new SCCs would be time-consuming, we began updating our contracts as soon as the CJEU made its announcement. 

(By the way, if you’re looking for an easy way to stay informed about data privacy, consider signing up for our newsletter.)

DPIAs

DPIAs, or data privacy impact assessments, help businesses understand the risks that a new project might pose to consumers’ privacy, and they’re required by several data privacy laws.

As we described above, part of Catherine’s (our General Counsel at Osano) regular reviews involve meeting with the product team and our CTO to identify new product features, projects, or initiatives that may involve high-risk data processing or other processing activities that might warrant a DPIA. Then, Catherine uses a modified version of the Information Commissioner's Office’s (ICO’s) questionnaire to determine if a DPIA is necessary.

If a DPIA is necessary, we’ll conduct one and assess the risk that the processing poses. Sometimes, the DPIA indicates the processing doesn’t require any additional changes to the project plan to protect consumers’ data privacy rights. Sometimes, the DPIA does identify areas that pose risk and means of addressing them, in which case we incorporate those takeaways into the project plan and proceed having mitigated the risk. And if a DPIA indicates that there are irreconcilable risks inherent to the proposed processing, we would scrap it.

Why do we do all of this compliance work?

If you’ve made it this far, you’re probably thinking that this is quite a lot of effort. You might even feel a bit intimidated at the prospect of setting up a compliance program at your own company.

Don’t panic. Our business is compliance, so unless you’re also in the compliance industry or are a multinational corporation subject to multiple data privacy regulations, your own compliance program doesn’t have to be as robust as the one we’ve described in this article. In fact, the reason why we do all of this compliance work is so you don’t have to. 

The regular monitoring, consent management, DSAR automation, and the other capabilities in the Osano platform take time to develop, refine, and maintain, but our customers only have to implement them to reduce their overall compliance burden. Schedule a demo and see for yourself.

We also understand if you’re just here to look for more information on what a compliance program looks like. If you’re eager to learn more about how to build a compliance program at a regular company (as opposed to one in the compliance industry), you might benefit from reviewing our webinar “How to build a privacy program.” We hope it helps make data privacy compliance feel a little less intimidating.