Privacy regulations are proliferating. No matter where a company is headquartered, these regulations, such as the European Union’s General Data Protection Regulation (GDPR) or California’s Consumer Protection Privacy Act (CCPA) present a growing operational challenge. These regulations put tremendous pressure on resource-constrained in-house legal departments and necessitate a transformation in how companies handle and operationalize privacy.
As regulations become more widespread, even companies that were not initially impacted when GDPR went into effect in 2018 must now address privacy regulations. Currently, more than 120 privacy regulations in major jurisdictions have been passed or proposed. These include the Swiss Data Protection Act, the Brazilian General Data Protection Act, CCPA, as well as increased regulations in Washington and New York state. For California, which is the 5th largest economy in the world, CCPA will impact an estimated 500,000 businesses when it goes into effect on January 1, 2020.
Overall, non-compliance with privacy regulation represents a growing financial and reputational risk for businesses. For example, GDPR requires that companies report data breaches within 72 hours, and the maximum penalty not complying with this requirement is 4% of the company’s annual revenue. Since GDPR went into effect on May 25, 2018, over 200,000 cases have been reported to the European Data Protection Board, including over 64,000 data breaches and over 94,000 complaints. Fines issued so far have topped 56 million euros (73 million US dollars), including a 50 million euro (56 million US dollar) fine issued to Google by French data protection authorities.
Compliance with privacy regulations is not a one-time solution, especially as new regulations emerge. Beyond financial and reputational risk, increased privacy regulation creates a burden on daily business operations, corporate budgets, and overall strategy. Adding to the challenge, the volume of work can be unpredictable. Many in-house legal departments, which are already stretched thin in terms of budget and headcount, must now develop a strategy and regular privacy business function to address issues and tackle tasks such as:
- Preparation for regulation
- Audit existing privacy policy
- Review vendor contracts and third-party relationships
- Develop plan and resources for maintaining and executing compliance
- Draft a plan for consumer notification and response
- Implementation of privacy policies and procedures
- Update process for privacy notices and consumer requests
- Update contracts as necessary
- Train legal and business teams on privacy policies and response
- Outreach to vendors and third parties about data handling and procedures relating to consumer notices
- Communicate and display all privacy notices
- Ongoing compliance
- Ensure policies integrated into business operations
- Align procedures to updated regulations
- Complete Data Privacy Impact Assessments (DPIAs)
- Maintain a “privacy inbox” to address privacy inquiries such as Data Subject Access Requests (DSARs)
Complying with privacy regulations requires a proactive approach from in-house legal teams. Axiom attorney Angelo Basu notes, “It’s one thing to put a set of policies and procedures in place to legally satisfy regulators, [it’s] another to ensure everyone is compliant and [those policies] are incorporated into business operations. On a recent assignment with a global engineering business, it was surprising how different the operating procedures, documentation, [and] training looked in practice than the original, written policies.”
Because of the constant diligence privacy regulations demand, the workload required to address them often outstrips the capacity of in-house legal departments. In order to develop and maintain a strategic approach to privacy that is incorporated into business operations, legal departments often need additional support. With experience working with 116 companies to address data privacy in 2018 alone, Axiom delivers lawyers with the expertise companies need to effectively respond to privacy regulation. Our lawyers’ data privacy services include privacy audits, updating privacy policies and procedures, completing DPIAs, responding to SARs, data mapping, third party scoping, delivering privacy training, and contract revision.
For example, Axiom deployed a team of over 40 lawyers to a Fortune 50 technology company to enable it to address GDPR across the global organization, develop a streamlined approach to privacy regulation, and have real-time visibility into the project’s status. Working both onsite and remotely, the team took a unified approach and used project management software to optimize its work. This approach enabled the team to work effectively, consistently report on progress, and rework over 1,000 contracts.
To learn more about how to prepare for privacy regulation, watch our webinar co-hosted with IAPP which featured privacy leaders from Verizon, EY, and Aon and covers actionable advice for companies of any size about how to implement and scale privacy programs, operationalize privacy, and utilize flexible legal talent to boost capacity and prepare for compliance.
If you are ready to set up a privacy program or scale ongoing compliance, working with Axiom’s privacy lawyers enables in-house legal teams to develop an agile and efficient response to privacy regulations. Find out how Axiom can help your business transform as privacy regulations accelerate.
