Privacy and data security remain front of mind for privacy teams looking to meet the increasing privacy requirements in various US states and globally, as well as boards and investors looking to mitigate reputational and financial risk for their entities. In response, we’re hearing more questions from our clients about how to implement robust, resilient, and future-proof privacy and data security programs.
While there’s no cookie-cutter template that guarantees a company will be compliant with all privacy laws and hack/ransomware-proof, there are steps companies can take to build a flexible, agile and responsive privacy framework:
Step 1: Integrate privacy into product design and business operations.
Prior to the GDPR coming into effect in 2018, companies often looked at privacy as a checklist item. This approach is no longer effective in terms of achieving strong privacy outcomes, nor is it usually cost-effective.
Instead, companies are (or should be) integrating privacy into product design and business operations in the early stages of the development of their products or services. This is beneficial because it creates opportunities for corporate privacy programs to operate in a way that creates win-win situations for companies and consumers.
We’re also seeing more companies interested in developing privacy-centric business operations. Doing so allows them to integrate privacy into their corporate culture which, in turn, allows them to transform privacy into a competitive advantage.
Step 2: Be transparent about your privacy and data security.
There are countless examples of regulators penalizing companies for their lack of transparency and/or misleading and deceptive statements about their privacy practices. In fact, it is so common for companies to make inaccurate statements about their privacy practices that there’s a term coined for it – privacy washing.
Another element of this is making it easy for consumers to access and adjust their privacy preferences. We strongly recommend that when collecting personal information, companies make it very simple for users to access, edit, and delete their data. Creating a privacy center is typically the easiest way to achieve this.
Step 3: Document what your company doesn’t do in its privacy program, and why (as well as what it does).
Many companies don’t include what it didn’t implement in its privacy program, opting instead to simply outline what it did elect to do. However, documenting your decisions not to implement certain measures is crucial for not only creating a defensible privacy program, but it can also inform future decision making.
For instance, you may decide not to implement certain measures for protecting consumer personal information because, initially, you only offer your products to business owners. By documenting that you elected not to consider them for that reason, your existing documentation acts as an additional flag (for the non-privacy professionals looking at it) to loop in the privacy team if the company is considering offering direct-to-consumer sales.
If you’d like to hear more on this topic, tune in to this week’s podcast about Operations Privacy. Managing Partner and Co-Founder Hannah Genton, Partner Kari Kelly, and guest Robert Glaser discuss how to develop and implement better privacy programs.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.