Globally, individual consumers are demanding stronger privacy protections. In Europe, privacy is seen as a human right. The EU’s General Data Protection Regulation (GDPR) embodies this view and covers many US-based based businesses, requiring them to impose privacy controls on their data management practices.
In the United States, in response to citizens’ concerns about privacy, Congress and the Senate are considering federal data protection legislation. In the meantime, in the absence of general federal privacy laws, the states have taken privacy in their own hands. Chief among the states is California. California’s latest privacy law, the California Consumer Privacy Act (CCPA), became effective January 1, 2020, and now California’s attorney general is authorized to bring enforcement actions against violators.
In addition, if you are a vendor that will have access to your customers’ personal information, you have an obligation to make sure that you protect the privacy of that information through appropriate agreements. You won’t be able to sell your products and services to them unless you agree with a set of privacy requirements. On the other hand, if you are a customer looking for technology services and solutions that will involve access to your customers’ or patients’ data, you have an obligation to impose privacy requirements on your vendors and hold them accountable for meeting them.
Privacy challenges include:
- Compliance with privacy laws such as GDPR, CCPA, and others such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare providers, insurers, clearinghouses, and their business associates; the Gramm-Leach-Bliley Act (GLBA) for financial services companies; and laws protecting minors including the federal Children’s Online Privacy Protection Act (COPPA) and CCPA.
- Making sure that employers protect the privacy rights of employees required by law and to avoid liability from privacy violations.
- Drafting and negotiating privacy requirements in vendor agreements to make sure that vendors meet customers’ requirements for data protection.
- Resolving privacy-related disputes or lawsuits and governmental enforcement actions for claimed violations of data protection laws.
- Investigating and responding to privacy breaches, including by making breach notifications required by law.
- Drafting appropriate privacy policies to comply with applicable privacy laws.
- Assisting in personal data management and the exercise of individuals’ rights under privacy laws.
When establishing a privacy program, businesses should consider the following six steps:
Step 1: A data protection program begins with aligning the business’s overall strategy with its data protection strategy. With the business’s culture in mind, this step involves planning the strategic direction and commitment of the business to data protection. The business will need to understand critical business requirements and imperatives that affect the program. Also, are there opportunities that dovetail with the business’s strategy, such as positioning in the marketplace as a leader in data protection as part of an overall marketing strategy? Finally, the business will need to allocate sufficient resources for the program. The businesses should craft this strategy with the features, capabilities, and vulnerabilities associated with advanced technologies.
Step 2: The business will need to understand its current data protection posture. Most fundamentally, it will need to know what kind of personal data it is collecting and the flow of personal data throughout its systems during the entire data lifecycle from collection or generation to disposal or long-term archiving. It will need an understanding of all the information assets (its, customers, and vendors’ networks, sets of servers, workstations, mobile devices, and storage systems) within the scope of the program. The business will need to understand the applicable laws creating data protection compliance requirements, contractual requirements, and industry requirements such as the Payment Card Industry Data Security Standard. Moreover, the business should conduct and update a risk assessment of the universe of potential data protection threats associated with advanced technologies, the likelihood and frequency of these threats coming to pass, the impact of the harm from these threats, and the controls available to mitigate these threats or their impact. The business’s risk management process should prioritize a set of controls to mitigate the threats analyzed. Inevitably, the business will identify gaps between its current data protection posture and its target (ideal) profile of its organization. The business will need to prioritize the identified gaps and develop an action plan to address these gaps.
Step 3: This step consists of the implementation of the program of controls developed in the previous step. For instance, the business should implement its action plan to begin closing gaps in its data protection program as it relates to advanced technologies. The business may assign people to implement specific programs to improve its data protection posture. In addition, this implementation phase involves ongoing data protection support of day-to-day business line operations. For example, data protection attorneys may be involved in regular negotiations of customer and vendor contracts or mergers and acquisition activities, including the due diligence involved in these transactions. They may also work with cross-functional teams to support new infrastructure, products, and services relating to advanced technologies. They may be involved in advising clients on data protection issues that come up in operations, such as questions about implementing data protection instructions or advising marketing professionals about data protection in connection with advertising campaigns. Data protection attorneys may provide advice about specific customer or employee situations that arise. Litigation data protection counsel may be involved in defensive or offensive claims relating to breaches, defects in products or services, or defaults in product or service agreements.
Step 4: Businesses should take steps to sustain and manage their data protection programs. They will need to monitor and provide day-to-day oversight over the implementation of the program to detect issues and violations, and report and respond to them. A key part of the oversight function is providing training of personnel to make sure they understand their data protection functions. Moreover, data protection attorneys should facilitate the process of holding personnel accountable for compliance with the program. For instance, they may promote the use of data protection goals and objectives during employment reviews and advise internal clients concerning disciplinary actions taken following violations.
Step 5: Businesses should have formal programs of assessment and auditing of their data protection practices covering advanced technologies. Data protection attorneys may work together with internal and external auditors to assess and audit privacy and security compliance. Periodic audits may occur in connection with internal audits and external audits for privacy and security attestations or certifications, such as SOC reports on security or privacy or ISO 27701 privacy certifications.
Step 6: Businesses should periodically evaluate their data protection practices and make adjustments to their data protection programs. They may need to make changes because of information gleaned from data protection assessments, for instance, to upgrade certain aspects of the program, undertake new privacy programs, or acquire new security tools. Businesses may need to integrate changes to applicable law or industry practice into their compliance programs and data protection controls. Changes in business models, advanced technology capabilities or vulnerabilities, or security threats may call for other changes.
Silicon Valley Law Group’s lawyers can help you oversee these six steps. We can work together with data management consultants to determine the sources and types of personal data you are maintaining, help prepare for data subject access requests in which individuals ask your business to exercise their individual rights, assist in data minimization to assess what kinds of data you really need to collect and process and what kinds you can and should delete or stop collecting, and oversee data archiving and destruction at the end of data’s usefulness to your business. In addition, we can:
- Identify requirements under applicable laws for your data protection compliance program.
- Draft and update privacy policies for customer data, websites, or mobile applications that comply with applicable legal requirements.
- Implement employee privacy programs with employee-facing privacy policies to comply with CCPA and to avoid workplace privacy violations.
- Negotiate and manage privacy exhibits that are part of larger agreements for products and services your business is providing or buying.
- Help with assessments and audits of the effectiveness of your data protection program.
For over 20 years, our firm’s lawyers have worked on privacy compliance for clients managing personal information or providing products or services to customers who process personal data. We can help your company create a privacy program to comply with laws that apply to your business and to manage your company’s legal risk. We would be happy to talk with you about your company’s privacy needs and challenges. If you would like to speak to one of our privacy lawyers, please contact us using the web form on the right or the phone number at the top of this page. One of our privacy would be glad to set up an initial consultation with you about how our practice can solve your privacy challenges, without obligation. Videoconference appointments are available.