Kara Hilburger is managing director and team lead for privacy compliance and digital accessibility at Octillo. Views are the author’s own.
Data privacy regulations and privacy risks are evolving. From the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act to the patchwork of upcoming state privacy laws, companies go to great lengths to stay ahead of developments to minimize legal risk while continuing to promote innovation.
And did we mention the prospect of a federal privacy law? Companies are left struggling to meet what feels like a moving target. Gone are the days when data security and privacy could be addressed in independent silos within limited segments of a business, or treated solely as IT issues.
Instead, many organizations, typically led by legal counsel, have found that the key to developing a data security and privacy infrastructure with lasting impact is by taking an enterprise-wide approach.
Here are some practical issues for understanding how and why to develop an enterprise-wide infrastructure and the best practices we’ve identified for general counsel’s role in this process.
Who should be at the table
Organizations approaching security and privacy as technical issues consistently fall short. A comprehensive data security and privacy infrastructure is much more than IT controls and policies in the background governing password management and encryption. Given the changing legal and regulatory landscape, you need to have a conversation beyond information security – and to do that you must understand the input and output of data.
It’s crucial all key stakeholders are part of the conversation. In addition to general counsel or in-house counsel, you want your leaders in the effort to include representatives from human resources, information technology, information security, compliance, marketing, communications and operations.
Identifying the right people from across the organization who can provide insight and identify areas where data security and privacy intersect with their day-to-day responsibilities is necessary for the growth and sustainability of the program.
It might sound elementary but understanding who is doing what within your data security and privacy framework is key to success.
You need to take a hard look at resources, people’s roles and responsibilities, and what gaps in governance exist. Is a data protection officer under GDPR or other regulations legally required, or is a privacy officer sufficient? Will the organization identify data owners, with corresponding responsibilities? Developing infrastructure with clearly delineated roles and responsibilities is key to the lasting success of the program.
Legal and regulatory obligations
As a lawyer, we’re trained to understand the rule that applies before we apply that rule to the facts of a case. The same approach is warranted in understanding your data security and privacy obligations. Conducting a privacy regulatory assessment that evaluates current and upcoming jurisdictional requirements is a fundamental starting point for building a roadmap to address data security and privacy requirements. Does the GDPR apply to your business? Are you doing business in California sufficient to bring you within the scope of that legislation?
Once you have an understanding of the laws and regulations that apply to your business, the next step is understanding what your program looks like and what, if any, gaps exist based on these requirements.
Whether you like it or not, many organizations collect and process a tremendous amount of data. Data increasingly drives what we do to grow our business daily, even if you are not in a traditional data industry. It is key to ask: what data do you have and collect, for what purpose is it being processed, and how is it being shared?
Incident response management
Preparing for a potential data breach or cybersecurity incident should be a top priority for every business. The threat landscape requires you to shift your perspective on cyber threats from “if” to “when” as you examine preparedness, protocols and employee education.
Creating a detailed incident response plan is a necessary step in this process, but a response plan is only as effective as its execution.
Testing your plan annually helps to identify vulnerabilities, improve coordination and communication and is a cornerstone best practice for all companies – and a requirement in many regulated industries under some cyber insurance policies and for certain government contractors. And don’t forget to print a hard copy of the plan in case access becomes limited during an actual or suspect event.
We may have heard it before, but training is the key to improving employee engagement overall and truly impacts the data security and compliance culture within an organization.
The fact is, many of today’s cyber threats are a result of human error, making end-users of company systems incredibly relevant to overall company security. Providing the training and raising awareness among staff members about the types of security threats that target them directly should be at the top of every security investment.
Further, raising awareness across your organization about the importance of cybersecurity and privacy requirements is a fundamental aspect of building out your enterprise-level infrastructure. This includes onboarding and implementing annual programs that train and raise awareness about the types of common security threats that target employees (such as phishing attempts), as well as how to identify common security threats.
As we often share with clients, Rome wasn’t built in a day; and, neither will your privacy and security infrastructure magically appear. But building a scalable, sustainable enterprise-level data security and privacy infrastructure should be a priority for every organization regardless of size.
The challenges presented by the current legal and threat landscape aren’t changing anytime soon, so it is vital for every organization to put in place a compliance roadmap that is right-sized for their resources, team size and jurisdictional reach. Beginning today, even with just initial internal discussions, you can start down a critically important path to minimize legal risk in this increasingly technology-driven world.