Five states have passed privacy legislation since 2018—California, Virginia, Colorado, Utah and Connecticut. As of May of this year, eleven other states have laws in committee, and it’s anticipated more will follow in the near future.

California’s statute is the most consumer-friendly, and Utah’s probably the most business-friendly, but all of these laws are at least loosely modeled on the GDPR. And the GDPR is based on well-known data privacy best practices.

So instead of worrying about whether or not your data management practices are compliant with a variety of state and international laws (which are constantly being amended and updated), save yourself time, money and brain power by creating a big picture, future-proofed program based on proven methodologies that provides all customers privacy—no matter where they live.

How can you manage your state of mind when laws are in a state of flux?

Here’s the good news for entrepreneurs: You have an amazing opportunity to build privacy best practices into your fundamental operational processes without any disruption. There are a few things you need to build a good data management program.

– Transparency is everything.

You need to be able to both understand and communicate to your users what types of personal information you’re collecting, what you’re doing with it, who you’re sharing it with, what they’re doing with it and how you’re storing/protecting it. If you can’t answer these questions yet, creating a data inventory will tell you what you need to know.

– Minimize your data collection.

Balancing business intelligence needs with consumer rights is critical to succeeding in the information economy, but the days of collecting as much information as possible are long gone. Instead of gathering anything and everything, work cross-functionally to figure out the specific data points your teams need to operate successfully. Minimizing your data collection reduces your risk of exposure, cuts data management costs and builds customer trust.

– Align your data management practices and your published privacy policies (and write an intelligible privacy policy, for heaven’s sake).

Once you start analyzing your data management practices, you’ll probably find instances where your operations don’t match what you’ve put in your privacy policy. This is a big no-no. A privacy policy that’s easy to find, easy to understand and accurately describes how you use consumer data will keep you on the right side of the compliance coin.

– Train your team.

Great policies aren’t helpful if your team can’t execute them. Incorporating regular, specific and relevant privacy training into regular staff meetings, newsletters, emails, etc., will go a long way to reduce data privacy management’s administrative load. With a culture of privacy in place, employees can become a powerful tool in your privacy toolbox.

– Update and plan, then plan and update.

Consumer data privacy is still a relatively new field, which means the landscape is changing all the time. You should review policies and programs every 12 months or any time the laws you are subject to change. It’s also wise to run risk assessments and develop action plans for potential breaches. The work you put into these processes on the front end will make it easier to respond to new compliance obligations or consumer expectations and contain the damage caused by bad actors.

Don’t get derailed by swinging privacy states.

Whatever data privacy laws you’re subject to now, and whatever data privacy laws are headed in your direction, building your data and privacy management program on best practices will increase your agility, improve your operations, establish legal compliance and prove to your customers that you can be trusted with their information.