Privacy: It’s a Team Sport
While the GDPR got the privacy party started, the US and other countries have kept the fun going into the wee hours. Only an ostrich can avoid hearing about privacy at this point and that is being debated over beers somewhere. In a global society, chances are your organization is subject to more than just one data privacy regulation and is grappling with how to implement a privacy program that will meet all of the requirements. When it comes to solving for the various obligations under privacy regulations, a cross functional team of experts is required to implement the solution. Not only should the organization have an internal task force, but various expertise is needed to solve for the larger issue of privacy: lawyers to provide legal interpretation of the regulations and opinions regarding applicability to the program; consultants to operationalize the requirements, implement the controls with the stakeholders, and translate the requirements to IT and IS teams; and technical solutions to ease the burden and staff hours needed to ultimately run the program.
Lawyers
Let’s start with the importance of having lawyers involved with privacy engagements, whether that’s internal counsel, external counsel, or a combination of the two, as is often the case. These privacy regulations can be ambiguous and include various definitions and nuances that must be carefully analyzed to determine applicability and scope to each organization. After all, these privacy regulations are laws and therefore a legal interpretation will be required.
Lawyers can assist with:
• Determining scope
• Providing formal opinions
• Ensuring the program implements reasonable controls
• Updating contracts and data protection addendums
For starters, organizations must determine what their role is as well as the roles of their vendors. Under the GDPR, is your organization a controller, a processor, or a joint controller? Not to get too in the weeds, but organizations can often be a combination of two or all three and this depends on the context of the processing. Under the CCPA, is your organization a business, service provider, or third-party? Is your organization one or all three of them? Very similar to the GDPR, organizations can be any number of these depending on the context of the processing. You can see how complicated this can become and why it is vital to determine the scope and how the organization is defined under the regulation(s) and therefore the obligations the organization will need to meet.
Another great use case is under the CCPA. Organizations must analyze and determine whether they sell personal data and therefore are required to comply with any right to opt-out of the sale of personal information requests. The term “sale” itself is extremely broad under the CCPA and must be analyzed based on the organization’s personal data sharing activities and the consideration the organization receives in return. Other privacy rights, specifically, right to deletion requests, will need to be analyzed on a case-by-case basis as various exceptions may apply per request.
Lawyers should be involved in defining the scope of personal data (likely from a data inventory compiled by consultants and technology) within your environment based on the various definitions under the privacy regulations. This includes determining vendor roles and making any necessary contract or data protection addendum revisions, approving any privacy policy changes based on the notice requirements, responding to data breaches, and signing-off on the validity of consumer privacy requests. Lawyers are also invaluable at working with and communicating risk and business impact to General Counsel.
Consultants
Now, let’s cover how consultants are involved in the overall development of a privacy program. You’ve heard it before, “everyone has a day job.” Chances are, privacy isn’t it. We have seen time and time again that the challenge of solving for privacy gets thrown onto someone in the Compliance department or an IT/IS individual’s plate and they have to tackle not only their previous job responsibilities, but also create an entirely new organization-wide program revolving around privacy – not an easy task, no matter what the individual’s day job is.
First and foremost, consultants provide external objectivity. That is to say, they can provide a broader view of the privacy landscape and insight regarding how their clients are implementing programs and overcoming hurdles to compliance. Not only that, right, wrong, or indifferent, organizations often times listen to an independent consultant’s recommendations regarding program needs and design and consultants can often assist stakeholders with securing the budget necessary to implement any recommendations for the overall privacy program.
Consultants can assist with:
• Operationalizing the requirements
• Risk identification and mitigation
• Technology implementation
• Access request design and implementation
• Information security expertise
Further, consultants that specialize in data privacy, have the skill set, the time, and the expertise to assess an organization’s readiness level and recommend a game plan for next steps based on the specific organization and the organization’s strategic goals. As outlined above, consultants have the experience of working with clients of different sizes, industries, and risk appetites to get into the weeds and determine the best way for your organization to operationalize these new privacy obligations.
Consultants often have the knowledge and skillset necessary to discuss and provide recommendations to the IT and IS teams and communicate the impact the privacy regulations will have to the organization’s tech stack from a security and privacy by design aspect. This involves recommendations surrounding encryption, access controls, log management, password management, incident response, business continuity, disaster recovery, vulnerability and penetration testing, the software development life cycle, and ensuring the overall confidentiality, integrity, and accountability of the data and overall privacy program. Additionally, consultants can work with the IT and IS teams to develop processes to honor requests for access, deletion, restriction, rectification, etc. within any homegrown or SaaS based tools.
In summary, through working with various clients, being in tune with enforcements, and having an outside view of your organization, consultants can bring new ideas and solutions to the table. Specifically, consultants know how to work with different groups within an organization to efficiently implement this type of organization-wide initiative. Outside consultants give an organization a fresh set of eyes as to what is needed, which tasks should be prioritized based on risk, and how to go about smoothly implementing something that will likely change more than a few people’s job responsibilities moving forward.
Technology
Last, but certainly not least, we have Technology. Technology is an important piece to the puzzle of an organization’s privacy program. Investment and startup technology aiming to solve an organization’s privacy headache has increased at an astounding rate in the last 2 years – data scanning tools can assist in developing a data inventory or data map, online portals can assist in receiving, tracking, streamlining, and memorializing responses to consumer access requests, GRC tools can assist with overall program management, and ticketing systems can assist in managing and tracking privacy requests as well. These are just a few examples of where technology is helping solve for privacy within organizations.
Technology can assist with:
• Managing Access Requests
• Ensuring maps and inventory remain accurate
• Auditability of the privacy program by memorializing actions taken to meet obligations
Organizations should also consider technology they already have in place that may be able to assist with some of these new privacy obligations. It’s likely that your IT department already utilizes a ticketing system or might have some data flows already created. There’s no need to start from scratch, so utilize what you have. The more an organization can automate to easily maintain records of compliance with these privacy obligations, the better.
Privacy regulations are a relatively new challenge for organizations, and they are only becoming more complicated as they evolve and multiply. Take Brexit for example. Before January 1, 2021 when the transition period ends, organizations will need to determine if any changes are needed to their data privacy policies and processes based on the United Kingdom no longer being a part of the European Union. Further, the forever debated ePrivacy legislation and, as mentioned earlier, the many US state data privacy laws that have been proposed will bring additional obligations for organizations subject to data privacy laws. The CCPA has been in effect for two months and California already has a new ballot initiative that looks to expand the scope of the CCPA. Needless to say, new privacy obligations are right around the corner and organizations must be prepared to tackle the every-changing privacy road ahead of them. Solving for privacy regulations and implementing a flexible and meaningful privacy program is a team effort.
Managing Your Organization’s Privacy Program
Although we worked linearly through this article, these pieces (lawyers, consultants, and technology) are intertwined throughout the implementation and management of any successful privacy program. Your organization will need to look internally to the business owners for insight into processing activities, lawyers to interpret the regulations and determine how the regulations apply to your organization, consultants to design and implement the program, and technology to solve for some of the complex requirements in the privacy regulations.
Organizations should not expect one individual or one team to implement an entire privacy management program overnight and remain up to date on all of the upcoming changes to data privacy. Consultants, lawyers, and technology are all crucial in ensuring the smooth and efficient implementation and maintenance of a new data privacy program.
Please reach out to us at: connect@compliancepoint.com if you have any questions about this article or how CompliancePoint can assist your organization with achieving your privacy objectives.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.