Tips for Building Better Privacy and Data Security Programs

Privacy and data security remain front of mind for privacy teams looking to meet the increasing privacy requirements in various US states and globally, as well as boards and investors looking to mitigate reputational and financial risk for their entities. In response, we’re hearing more questions from our clients about how to implement robust, resilient, and future-proof privacy and data security programs. 

While there’s no cookie-cutter template that guarantees a company will be compliant with all privacy laws and hack/ransomware-proof, there are steps companies can take to build a flexible, agile and responsive privacy framework:

Step 1: Integrate privacy into product design and business operations. 

Prior to the GDPR coming into effect in 2018, companies often looked at privacy as a checklist item. This approach is no longer effective in terms of achieving strong privacy outcomes, nor is it usually cost-effective. 

Instead, companies are (or should be) integrating privacy into product design and business operations in the early stages of the development of their products or services. This is beneficial because it creates opportunities for corporate privacy programs to operate in a way that creates win-win situations for companies and consumers. 

We’re also seeing more companies interested in developing privacy-centric business operations. Doing so allows them to integrate privacy into their corporate culture which, in turn, allows them to transform privacy into a competitive advantage. 

Step 2: Be transparent about your privacy and data security. 

There are countless examples of regulators penalizing companies for their lack of transparency and/or misleading and deceptive statements about their privacy practices. In fact, it is so common for companies to make inaccurate statements about their privacy practices that there’s a term coined for it – privacy washing. 

Consumers and regulators are demanding transparency and accuracy from companies about their privacy practices. One element of this is that it’s essential that your public facing documents, like your privacy policy, are accurate – and it’s beneficial if they offer insight into your privacy practices in plain English. Achieving this will likely require help from an experienced privacy attorney, and we would warn companies away from taking and adjusting a privacy policy of a competitor or company with similar operations.

Another element of this is making it easy for consumers to access and adjust their privacy preferences. We strongly recommend that when collecting personal information, companies make it very simple for users to access, edit, and delete their data. Creating a privacy center is typically the easiest way to achieve this.

Read more about increasing transparency on your website or app.

Step 3: Document what your company doesn’t do in its privacy program, and why (as well as what it does). 

Many companies don’t include what it didn’t implement in its privacy program, opting instead to simply outline what it did elect to do. However, documenting your decisions not to implement certain measures is crucial for not only creating a defensible privacy program, but it can also inform future decision making. 

For instance, you may decide not to implement certain measures for protecting consumer personal information because, initially, you only offer your products to business owners. By documenting that you elected not to consider them for that reason, your existing documentation acts as an additional flag (for the non-privacy professionals looking at it) to loop in the privacy team if the company is considering offering direct-to-consumer sales. 

If you’d like to hear more on this topic, tune in to this week’s podcast about Operations Privacy. Managing Partner and Co-Founder Hannah Genton, Partner Kari Kelly, and guest Robert Glaser discuss how to develop and implement better privacy programs. 

Listen here.

• Privacy
• Weekly Briefs