Beer and privacy might not seem like natural allies, but at New Belgium Brewing, privacy is the premium brew.
U.S. companies don’t have to be based in California to be subjected to the state’s stringent privacy laws. Certainly that’s true of New Belgium Brewing, which operates in Colorado and North Carolina, but touts national distribution of its beers. Collaboration Business Systems Analyst Tye Eyden spoke to SC Media about ongoing privacy efforts, crediting workflow automation for bringing the company into compliance with the California Privacy Rights Act in just five months.
What kind of challenges do privacy regulations pose for you?
Eyden: It’s always a challenge to try to bridge that gap between what is needed from a compliance standpoint to what technology can do. Or just making sure that you’re ruling out how things need to be configured in a way that can address the compliances. It’s trying to do some initial discovery to understand the requirements. In this case, for us, it was the CCPA but often times, there are other things like HIPAA compliancy or just general legal items that need to be more secure. And then, especially as you’re using automation, you just want to make sure you’re covering all your bases.
That’s sometimes easier said than done. It’s really difficult to keep up with ever-changing privacy legislation and regulations.
Eyden: Yeah, they’re changing all the time. And that’s where we lean heavily on our internal legal counsel to help guide us. Oftentimes they’re the ones who are making notes and discovering when those changes are happening, and then trying to determine how many different arms of the business might have to get involved. Depending on how that solution needs to look, then it could be a pretty strong partnership internally with legal and [those who have] to get that work done.
Non-compliance these days is not an option, though, right?
Eyden: Yes, there’s more than just the associated cost associated; it’s all those tangible and intangible things. And even more potential litigation that you want to avoid and time spent unnecessary. Time spent is definitely a big one. I feel like there’s that balance where you’re making sure you’re doing the best you can. But at some point that’s not enough.
How did the CCPA affect you?
Eyden: We knew CCPA was coming into play and, I think, [we had to be] officially compliant by January 2020. So our legal department hit us up early 2019, knowing that we had to find ways to address requirements in a meaningful way, more than just through back and forth emails. We just didn’t know how much we were going to be dealing with.
And California was the first, but there’s going to be more. So we can try to get the process nailed down first, then understand how that’s going to relate to our technical solution. There is definitely going to be a lot more to handle and we’re trying to think about how to scale this up to make a more robust solution. I feel like each state has its own scenario anyway, but if you can address the worst case first, the one with the most complex standards, you can replicate to scale up.
How do you use workflow automation to manage compliance with the CCPA?
Eyden: We had to address the consumer need to request information around how their data was being stored. We needed to have this back and forth communication with them to understand who they were and what information we needed to discover from them, then what they potentially wanted us to do with that information. Most of the time, they’re probably making that request because they want to delete it, but maybe that’s not the case. They just want to understand how their data is being used. But for us it was a communication problem. We didn’t want this to be handled with the typical email and have some sort of email request out there on our website where people can just go in or send us a direct email because that would mean lot of unstructured information.
How does the system work exactly to help New Belgium comply with CCPA?
Eyden: For us, the automation [using a system from Nintex] was really about trying to standardize the information that we might need from this requester – a California resident in this case – and trying to get the minimum amount of information that we could get from them, because we’re also storing that information at the same time. We’re pushing that information into our system so that we can then do a dissemination of tasks, based on whatever their request is, to each individual segment of our business that might be storing that information. It could be in our sales systems, it could be in IT systems, it could be in our financial systems. It just depends. Each one of those systems or applications could have different ownership internal to the business. And they have different components, where we do have to store that information for our own legal reasons. It’s a mix of a tasks, along with toggle buttons to determine what types of information is being stored around this consumer.
Then [the different data owners] can kick back [the request]. Our legal department can then review it. A ticket essentially is created for that consumer. We automate an email back to them saying, “what would you like us to do?” It’s another form that’s a couple of little buttons and some more inputs to get back to us. Again, just the information that needs to be deleted and next steps. At the end of all this, we’re saying we’re going to delete the information from the request, too, because you don’t want it stored either. We’re trying to cover as much of our bases as possible.
And, for legal purposes, does that also give you some sort of digital trail, evidence that you’ve dealt with the request?
Eyden: Absolutely. We still have an auditable track. We’re doing some data analysis with Power BI to try to determine, even after we say delete their name, that we know that the request came in and we know what it was for, what it was about. We have a trail. So, no matter what the request is, it’s still in our systems, but there’s no more information. The personal information is no longer tied to it.
Has the system worked out so far?
Eyden: We don’t get a lot of requests. We had to put all this into play to be compliant, not really knowing how many of these requests we might get. And, who’s to say, we might get more. But overall, we’ve only had a few requests come in. We had to make a couple of minor tweaks to the processes when rolling it out, but we’re still able to be compliant and we designed it to meet the needs and requirements from legal. I’d say overall, it’s great, we’ve been very happy with it. As our business grows and becomes more dynamic, with more potential to be involved with consumer data, we’re going be prepared. We might have to make subtle tweaks, but overall I have something that can be ready to go. We can either build out unique scenarios for each state or for a federal scenario, and then just push it into the same sort of setup where it’s going to trigger automation, because we already have all that information.
That level of automation frees you up to do your work, to sell beer, not become a privacy expert.
Eyden: I’m really excited about it. Overall, with Nintex, that’s the benefit for us. We know that it’s now in our wheelhouse and it’s something we can implement in a timely manner, if we have enough information and know the problems we’re trying to solve. All across the business, there’s more automation happening, more opportunities to streamline the business processes or communication processes or just push and pull information and data to get it to the right people to do something. So that you can hopefully get some beer out the door.