(US & Canada) | If You Don't Know Your Data Security You Won’t Realize the Risks — RSM US LLP Privacy Manager

Allison Gay, Privacy Manager, RSM US LLP, speaks with Mark Johnson, Regional VP, New Era Technology US and Editorial Board Chair, CDO Magazine, in a video interview, about the nuances of AI governance, approaching data breaches, emerging privacy law trends, and takeaways for non-tech leaders.

Speaking on the nuances of AI governance, Gay underscores the necessity of adapting existing governance frameworks. She emphasizes the importance of recognizing that while leveraging existing governance is beneficial, modifications are essential to align with the unique requirements of AI development and usage.

Gay elaborates that the process of adapting them for AI involves a comprehensive examination of the current governance landscape and strategizing ways to integrate AI-specific considerations into the framework effectively. Moreover, she advocates for the automation of privacy governance processes, highlighting its significance in expediting product development and ensuring compliance with regulatory requirements.

By automating these processes, organizations can streamline their workflow and minimize the risks around handling personal data.

Further, Gay encourages organizations to automate privacy governance which can enable engineering changes to the product faster. She says that a lot of organizations approach governance as an afterthought making things difficult, especially with the chances of AI being trained on personal data without governance.

When asked about the steps to take to address data breach incidents, Gay emphasizes the crucial need for understanding the definition of a breach, as it can vary depending on industry and location. With breach notification laws differing across states and countries, organizations must have a clear incident response plan tailored to their specific circumstances. She also stresses forming a cross-functional team comprising security, privacy, and legal representatives to ensure comprehensive preparation.

In a similar vein, Gay recommends having regular exercises, ideally conducted annually or following significant organizational changes like a new Chief Information Security Officer (CISO), to refine response strategies. Additionally, employing specialized tools can streamline breach notification processes and incident data management, eliminating guesswork and ensuring compliance with relevant regulations.

Gay also underscores the importance of encryption, particularly for sensitive personal data, as failure to encrypt could expose organizations to legal liabilities, such as private right of action in states like California.

Speaking further on regulations, Gay notes that a key trend in privacy law is the increasing focus on enforcement. While GDPR has seen some enforcement actions, this trend is expected to intensify with the implementation of laws like the CCPA and similar legislation in other states.

Additionally, countries like China are in the process of establishing guidelines, particularly concerning cross-border data transfers, suggesting a forthcoming surge in enforcement globally. Gay anticipates this trend to escalate in 2024 and further expand in 2025 and 2026.

In conclusion, Gay nudges non-technical C-suite executives to ask whether they have data inventories and data mapping in place. Without this understanding, it is impossible to grasp the associated risks. She says that executives need to know where their data resides, how it is utilized, its security measures, and the technology involved in its transfer.

Additionally, they should be aware of internal and external data-sharing practices. Without this knowledge, it's difficult to mitigate or understand risks, let alone ensure compliance with privacy promises outlined in privacy notices.

CDO Magazine appreciates Allison Gay for sharing her insights with our global community.