California companies are struggling to prepare for the impending implementation of the California Consumer Privacy Act (CCPA). To address this, new ways of workting are needed, says Tom Pendergast of the company MediaPRO.
Such is the extent of the challenge faced by businesses, one survey finds that 86 percent of U.S. companies describe CCPA compliance as a “work-in-progress.” Adding to that, MediaPRO’s 2019 “Eye on Privacy Report” found that half of U.S. employees have never even heard of the regulation.
Digital Journal: What is the idea behind the CCPA?
Tom Pendergast: At a glance, the big idea of the CCPA sounds simple: give individuals control over the use and sale of their personal information. The bill acknowledges that times are changing, and that it’s basically impossible to “apply for a job, raise a child, drive a car, or make an appointment” without sharing personal information.
And because technology plays such a big role in daily life, consumers are practically being held hostage by businesses: the self-appointed custodians of their data. In many cases, these businesses don’t always have the best interests of consumers in mind; for example, the bill cites the Cambridge Analytica scandal of March 2018 as a primary factor in motivating the public’s desire for privacy controls and transparency. So the big idea is to put control in the hands of the consumer or data subject.
DJ: What are the main requirements of the CCPA?
Pendergast: There are countless ways that the CCPA will impact a businesses’ policies and procedures, depending on how well it has already incorporated policies and practices around the handling of personal data. So at a micro-level, the requirements of the CCPA are too many to count and too diverse to accommodate readers from across different industries. However, there are five very clearly stated rights that the CCPA grants to Californian consumers which will guide compliance requirements. In other words, the CCPA’s requirements are to do whatever an organization needs to in order to grant consumers these five rights.
Those rights are, in brief: 1) consumers can know what data is collected about them; 2) consumers can know if their information is being sold, and to whom it’s being sold; 3) consumers can say “no” to sale of their information; 4) consumers can access their data (and amend/delete it, if desired); 5) consumers get equal service and price, even if they exercise their rights. The implications for how a company builds the capacity to respect those rights is pretty huge.
DJ: To what extent is the CCPA based on European GDPR?
Pendergast: I think it’s safe to say that the CCPA is inspired by the GDPR but it might be going too far to say it’s “based” based on the GDPR. Consumer rights granted by the CCPA are similar to the GDPR’s rights for EU citizens, but they aren’t copy-pasted from the GDPR’s text.
The CCPA differs in handful of significant ways. One notable way is that the CCPA doesn’t focus the “legal basis” for collecting and processing personal data, which is essential to the GDPR. In effect, the CCPA gives affected businesses more authority over why they process data, so long as they do so with consumer rights in mind. But zoom out a level, and I’d say that both the CCPA and the GDPR are motivated by a desire to shift the power dynamic around the control of personal data from corporations back to the individual.
DJ: What are the key challenges businesses face?
Pendergast: It will all depend on the businesses existing maturity around data protection. If they’ve already done all the work to get prepared for the GDPR, for example, then there will be relatively minor improvements or additions to both policy and technology. But if the business is just getting started on solid data protection and handling practices, the lift could be very heavy in terms of changes to internal data handling practices, business policies, etc. A recent report on GDPR showed that smaller businesses have gone out of business rather than taking on the costs of compliance, and I suspect similar things will happen with CCPA.
DJ: What should businesses be doing?
Pendergast: One could write whole books answering this question. It comes down to assessing what it will take to meet the requirements in terms of impact on technology, process, and people, and then building a systematic plan to get into compliance. For many businesses without the expertise to do that assessment, the first thing will be to hire an experienced privacy professional to help them make a game plan.
One element that businesses don’t consider frequently enough is the need to develop an educated population. Starting a privacy awareness program that informs employees about what constitutes personal information, how it should be handled and protected, and what they should do if they suspect there is a privacy incident is an important but often overlooked component of meeting regulatory guidelines.
DJ: Will the CCPA fully address consumer concerns over privacy?
Pendergast: The answer to this question is immensely complex because it ventures into the area of the human psyche, which is about as weirdly complicated a place as we could possibly investigate. First it’s important to consider whether consumers really want their privacy protected. This varies by individual and by what scandal is in the news cycle; regardless, people’s actions don’t seem to follow the assumption that people want privacy (the famous “privacy paradox.”)
For example, in the wake of Facebook’s various scandals and the “delete Facebook” campaign … Facebook’s user base is essentially unchanged (well, Facebook monthly deletes more fake accounts than there are consumers in most countries, but that’s another issue). Basically, people want the benefits that our modern technology provides while still wanting to remain “private.”
Wouldn’t it be nice to eat pizza and friend chicken and tacos and ice cream for every meal and stay at your ideal weight? Get out of here. Consumer concerns about privacy won’t be fixed by CCPA, in fact, most consumers probably won’t even notice it or take advantage of their rights. However, whether or not consumers realize it: they need those rights to protect them from abuse and collateral damage to our society, often without our knowledge.
The CCPA is 100 percent better than what we have now: nothing. The bill is an essential first step towards amending the Wild-West landscape of big data that exploits our personal info all the time and, as we’ve seen, complicates our domestic and international politics. It’s a problem that needs to be solved, and maybe CCPA will get the ball rolling.
DJ: Will there be a US wide roll out of CCPA type legislation?
Pendergast: It’s possible, but most people place the odds of federal privacy legislation getting enacted pretty low in the short term. In February, Congressional House and Senate hearings discussed the subject from various angles. Lawmakers are eager to avoid a “grab bag” of state laws percolating across the country, and such legislation is a mostly-sort-of-probably-bi-partisan issue. However, predicting whether legislation will make it to the president’s desk before the 2020 elections has about as much success as predicting the outcome of the election itself. My opinion is that we’ll be dealing with the multiplication of state laws mimicking the CCPA until after the next presidential election.
4 ways to plan for the post-pandemic normal
When the crisis eases, we will have entered a new digital normal. Your strategies need to reflect this shift: Consider these factors as you plan for the longer term.
When I sat down to write this article, a follow-on to my previous article on common leadership oversights on the path to digital transformation, the coronavirus’s threat to global business had not reached the magnitude that we feel and see today. In a few short weeks, the pandemic has forced a new virtual work reality on businesses and entire operating models have been shifted – and in many cases, upended.
A business environment that is changing so dramatically and rapidly requires speed, innovation on the fly, and the need to scale thinking beyond anything we might have previously imagined. Now is not the time to back-burner digital initiatives but to ramp them up.
Now is not the time to back-burner digital initiatives but to ramp them up.
When the crisis eases, we will have entered a new digital normal. The strategies we use to run, change, and staff the business will need to reflect this shift. Consider the following factors as you plan for the longer term:
1. The right financials
Any business that isn’t digital by now likely won’t be a business for long. Learning to embrace and adjust is imperative. Continuing – or starting – a digital transformation will be more important than ever, and you’ll need to rethink your business’ capital allocation strategies for digital initiatives and the staffing that supports them.
To figure this out, become best friends with your finance team and think for both the short- and long-term. In the current climate, it can be easy to be either too short-sighted or too far-sighted, but you need to plan for the next week, month, quarter, year, three and five years.
Become best friends with your finance team and think for both the short- and long-term.
Consider how your company may bounce back from the pandemic when stay-at-home orders are lifted, kids go back to school, and consumers begin to mobilize again: We will have entered an entirely different digital world, with new digital expectations from consumers. Is there potential for a rapid and significant surge, followed by a normalization? Will you be facing a slow rise? Digital transformation funds need to be allocated to react appropriately to these various scenarios; staffing discussions should follow based on these decisions.
2. The right tools
It is likely that at least some of your employees will remain virtual, even when the majority can get back into the office. How will you support them? You may have sacrificed some tools or technologies in your move to quickly get employees out of your building and into their homes; you may have also overpaid for the sake of quick deployment.
You’ll need to rework your strategy for the long term. This could include better or more consistent access to networks and servers, the capacity to host formal business meetings online, new portable equipment, virtual collaboration and communication software, and more.
For many, this will require working with your corporate legal team to change their thinking. Where they may have once been risk-averse for the sake of the business, they will now need to take smart risks, also for the take of the business. State your case, find common ground, and move forward.
In some particularly dire situations, you may even need to become comfortable with making decisions first and asking for permission later.
3. The right staffing
You’ll need to continue to make smart staffing decisions – quickly. You likely have three types of talent available:
- Employees who are great at running the business
- Employees who are hungry for more
- New talent that may not yet exist in your business but needs to be brought in
Unfortunately, this global crisis may have created gaps in your workforce.
Identify the individuals in the first two groups and work with your talent management team to assess whether you need to advance digital investments previously planned for. Do these individuals have the right type of skills for their teams? Are they collaborative and communicative? IT cannot work in a silo, and team members need to be able to communicate what they are doing and why, and be clear on how their actions are aligned to larger goals.
When you’ve completed this review, identify the additional skills you will need for the future. This might include teams familiar with building out cloud deployments or working with microservices, etc. Push the rest of your leadership team to break through capital allocation constraints to bring in new employees who not only have the right experience but also can quickly teach your existing teams on new tools organically.
4. The right brand permission
As you work through your accelerated digital transformation, you’ll start to think about your business as a truly digital brand. In fact, you might already think so, simply because you’ve been able to get your staff up and running remotely.
But is this the perception all your stakeholders have? According to the Yale School of Management, “Brand permission defines the limits of customers’ willingness to accept a familiar brand name in new marketplace situations.” For example, you can’t simply say, “We are digital now, world!” and expect your market to immediately accept that if you haven’t been digital historically. You need to earn this right.
You can’t simply say, “We are digital now, world!” You need to earn this right.
Brand permission is something you and the rest of the company will need to work on – largely focused on delivering useful and impactful digital products and services – in order to attract the new talent you need. Start thinking about this now.
The global pandemic has thrown us into an entirely new world. Business leaders can no longer rest on their laurels and, certainly, can no longer put off or draw out a digital transformation. Making the right decisions now will help to ensure your business is positioned well when this crisis passes.
As Chief Digital Officer of Agero, Bernie Gracy brings more than 30 years of technology experience helping drive new product/platform introduction, client delivery, and the establishment of new software-enabled business models.
In his role, Gracy is responsible for all aspects of product and technology development, architecture, infrastructure, and innovation for a rapidly evolving ecosystem powered by digital, mobile, the cloud, location-based services, and IoT.
Five key trends shaping the application landscape
According to application services/application delivery company F5 Networks, 98% of organizations depend on applications to run or support their business — hardly surprising considering that most organizations have some version of a digital transformation plan.
In their new 2020 State of Application Services Report, F5 has found that most organizations have entered the second phase of DX, defined as the integration of automated tasks, “and taking advantage of cloud-native infrastructures to scale the process with orchestration.”
As Lori MacVittie, Principal Technical Evangelist, Office of the CTO at F5 Networks explains in a blog post about the rise of cloud-native architectures, the average enterprise app portfolio is now at 15% modern, microservices-based applications.
“That’s now more than the stalwart 11% of monolithic / mainframe-hosted applications,” she adds. “Considering reports of extreme backlogs for new applications in every industry, that modern apps have consumed such a significant percentage of the corporate portfolio is nothing short of impressive.”
Based on a global survey of nearly 2,600 senior leaders from various industries, company sizes, and roles, F5’s report outlines five key findings on the trends shaping the application landscape, “and how organizations around the world are transforming to meet the ever-changing demands of the digital economy.”
1. 80% of organizations are executing on digital transformation—with increasing emphasis on accelerating speed to market.
As organizations work to scale their DX efforts via a digital footprint with cloud, automation, and containers, “it is time to manage the application portfolio like the business asset it is.”
“Organizations able to harness the application (and API) data and insights generated will be rewarded with significant business value.”
2. 87% of organizations are multi-cloud and most still struggle with security.
27% of respondents reported that they will have more than half of their applications in the cloud by the end of 2020.
But despite the crucial importance of applications to business strategy, “organizations are much less confident in their ability to withstand an application-layer attack in the public cloud versus in an on-premises data center.”
When F5 asked how organizations decided which cloud is best for their applications, 41% responded that it was on a “case-by-case, per application” basis — an important strategy, given the uniqueness of each application and the purpose it serves for the business.
“It is imperative to have application services that span multiple architectures and multiple infrastructures,” outlines the report, “to ensure consistent (and cost-effective) performance, security, and operability across the application portfolio.”
3. 73% of organizations are automating network operations to boost efficiency.
Process optimization is a key motivation for DX efforts, which makes it unsurprising that most organizations are automating their network operations. The goal? Consistent automation across key pipeline components: app infrastructure, app services, network, and security.
“Despite the fact that network automation continues to rise, we are still a long way from the continuous deployment model necessary for business to really take advantage of digital transformation and expand beyond optimization of processes to competitive advantage in the marketplace.”
Respondents report that the most frequent obstacles to continuous deployment are “a lack of necessary skill sets, challenges integrating toolsets across vendors and devices, and budget for new tools.”
4. 69% of organizations are using 10 or more application services.
With the maturation and scaling of cloud-and container-native application architectures, “more organizations are deploying related app services, such as Ingress control and service discovery, both on premises and in the public cloud.”
One of the most widely deployed application services are those largely dealing with corporate and per-application security. “For the third year running, respondents told us by a wide margin (over 30 percentage points) that the worst thing they could do is deploy an app without security services,” details the report.
5. 63% of organizations still place primary responsibility for app services with IT operations, with more than half moving to DevOps-inspired teams.
“It’s also no surprise to find that as organizations transform from single-function to modern ops-oriented team structures,” adds the report, “responsibility begins to shift from IT operations and NetOps to SecOps and DevOps.”
One reason why? The shift of application services into modern architectures. “DevOps teams are intimately involved with the CI/CD pipeline, which, for cloud- and container-native apps, includes a growing portfolio of application services such as ingress control, service mesh, service discovery, and good old-fashioned load balancing.”
DX Journal covers the impact of digital transformation (DX) initiatives worldwide across multiple industries.
Digitized and digital: Two sides of the digital transformation coin
According to a research brief out of MIT, thriving in the digital age means undergoing two distinct transformations: Digitization, i.e. the incorporation of digital technology into core operations like accounting and invoicing, and becoming digital — “developing a digital platform for the company’s digital offerings.”
While both of these require companies to embrace emerging technologies, these present two distinct challenges, each with a differing set of rules and strategies. As explained by Sara Brown from the MIT Sloan School of Management, “Becoming digitized relies on traditional business methods. Becoming digital requires breaking old rules and embracing new thinking.”
Digitization relies on the company’s operational backbone, which supports core operations — i.e. how a company delivers goods and services, maintains its books of record, and completes essential back office processes, explains the research brief. Traditionally, base technologies for these were ERPs, CRMs, and core banking engines. Today, though, it’s likely software-as-a-service (SaaS).
At the same time, becoming digital means creating a digital platform — “a foundation for a company’s digital offerings and their rapid innovation.” Creating speed and innovation, “this platform, a combination of different software components that can link with partners and connect with customers, enables a company to quickly develop and add new digital offerings, and targets revenue growth,” explains Brown.
When it comes to managing both sides of this digital coin, decision-makers must manage leadership, operational, and cultural differences, Brown says:
Leadership: For digitization, leadership is firmly in place, making clear decisions, outlining processes and standards, and ensuring adoption success.
For a digital platform, however, top-down decision making stands in the way of success. Trusted teams are in the driver’s seat, innovating and implementing new ideas. It’s up to management to define an overall digital vision.
Operational: “Changes to the operational backbone can be planned and evaluated using traditional methods like metrics and customer satisfaction,” writes Brown. On the digital platform side, these methods only result in frustration.
Cultural: Digitization isn’t changing the fundamental place of the operational backbone, MIT’s research found. A digital platform, however, “means radical changes in how decisions are made and work gets done. This can be uncomfortable for people at every level.”
When it comes to actually managing these two different teams, MIT researchers suggest these three actions:
Keep ‘em separated: Simultaneous management of digitization and digital means clearly distinguishing their separate responsibilities, says the research brief. Examples of companies that have taken this approach include Schneider Electric, Royal Philips, and Toyota. In another example, one organization’s operational backbone was managed by the CIO, with a Chief Digital Officer taking the lead on the digital platform.
Funding should also be separate. As the researchers outline, “People responsible for digitization can better pursue operational excellence when the operational backbone receives consistent investment, year after year, at the enterprise level.” Meanwhile, funding for short-term digital innovation “experiments” can be easily upped or decreased, depending on outcomes.
It’s important, however, to keep the overall shared vision in mind, explains tech specialist and Tech Wire Asia editor Soumik Roy, for TechHQ. Leaders might feel that separate teams are a waste of resources, he writes, “because ultimately, the business needs its digital initiatives to converge — like its data, analytics, and platforms.” But in reality, separate teams can optimize DX efforts, but only if a shared vision of the organization’s future is kept top of mind: “Each team, working on their own side of improvements, can make contributions that help move closer to the end state. In practice, this is often more productive as well.”
Rule breaking: Inherent in digital innovation is breaking old rules and making new ones, the researchers found — from subverting budgets processes to guarantee resources to bypass CRM approaches, among other challenges.
Rule breaking ends up being manageable because it’s relatively contained to a small team that’s experimenting, though it’s crucial digital teams have sign-off and ongoing support from senior leadership.
New leadership: “Not all people who have successfully led traditional businesses are well-suited to digital business leadership,” says the brief. “The idea of breaking rules to identify what works may feel terribly unnerving for some— even when they have been encouraged to experiment.”
If someone in a leadership position isn’t comfortable with creating new rules, they explain, coaching could be implemented to help guide them in the right direction. Alternatively, there is likely plenty of new talent that is ready to implement a shift.
DX Journal covers the impact of digital transformation (DX) initiatives worldwide across multiple industries.