Privacy is ubiquitous in our legal and business landscape today and it can seem really big and daunting to companies of all sizes.
Although privacy as a legal concept and an operational imperative is new for organizations, the law is developing so rapidly that it can be hard to keep up.
Privacy is a regulatory problem and a regulatory requirement, but it has to permeate the entire organization. However, the laws never define compliance. The key then is to create a position where your clients are defensible in their decisions and what they did with both the regulatory bodies and their clients or customers.
The Triad: Privacy, Security, and Law
Privacy is part of a triad between security and law. Sometimes, privacy officers will sit in compliance, sometimes in legal or in IT, or in HR. All of those elements need to come together. However, one of the issues among companies is they do not link these three into a single operational program.
Security folks are taking the lead in implementing privacy programs because they’re very good at implementing enterprise-wide projects. But it should essentially be a combination of the operations of an organization, plus the leadership of legal, IT, and security.
Privacy by Design
Privacy by design is a framework, well known among technologists, that was outlined by Canadian privacy guru Ann Cavoukian.
The idea behind it is to be proactive. Don’t sit around and wait until you’re legally required or until you have to have some due diligence event to make you get up and think about privacy in your offerings.
Rather, if you’re proactive and you’re better designed for your product and your offerings, it’s going to cost way less.
Companies can save a lot of time and money if they think about privacy first and how they want to deal with that and their businesses. Otherwise, if startups don’t start with a privacy-centric approach, they have to rebuild a lot of things in their product.
The Foundations of Operational Privacy
Customer-facing employees who are trained well on privacy and security can stave off a lot of problems for a company. Hence, it’s important that privacy is placed at the core of people’s job descriptions and be part of the onboarding process and ongoing training.
Privacy has to be integrated in the initial development lifecycle and should be integrated throughout the different parts of the operations.
Awareness must be on the senior executive level and privacy must be included as part of pre-acquisition due diligence.
Security and privacy need to be part of the fabric of your organization. To do this, it should be part of everybody’s job from the executive suite down to customer-facing employees.It’s not just about the policies and procedures, but about making a culture of privacy inside the organization.
If you want to learn more about operations, privacy and data security, check out https://cgl-llp.com/podcasts/cgl038.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.