How to Get Privacy Right
By Axiom Law
Data privacy is the new normal for companies around the globe, especially as an increasing number of countries and US states, pass privacy legislation. When California’s Consumer Protect Act (CCPA) goes into effect on January 1, 2020, it will impact over 500,000 companies alone. In addition, the consequences of getting privacy wrong are becoming crystal clear: $400 million in fines have been issued so far for companies that violated provisions of the EU’s GDPR, which went live in 2018, and in July of 2019 the FTC hit Facebook with a $5 billion fine related to data privacy violations.
However, it’s not just fines, but the reputational damage and erosion of consumer trust that is a looming and priceless factor for many companies. “It makes good business sense to take privacy compliance very seriously. Customers tend to trust businesses that are transparent and focused on data protection and privacy,” advised Socheth McCutcheon, associate general counsel at Verizon and a guest on a privacy webinar Axiom co-hosted with IAPP in August 2019.
Often companies are caught between “doing the right thing” for data privacy and committing the budget and resources needed to fully comply with new regulations. Thomson Reuters found that 79% of companies worldwide are either failing to comply with privacy regulations, or struggling to keep up. They also reported that compliance with GDPR took up 31% of the average privacy budget, and companies spend $1.3 million on privacy annually, which is set to rise.
To be effective, ongoing privacy work must be incorporated into a company’s daily workflow, business planning, and budgeting, and must have buy-in from company leadership. However, how organizations tackle privacy varies widely, and there is no standard, or “one size fits all” approach to privacy compliance and ongoing maintenance. Privacy solutions will vary depending on the structure, industry, risk tolerance, and revenue model of your business.
Many provisions of CCPA and other data privacy legislation still need to be clarified. However, taking a “wait and see” approach, as many companies are doing, can leave your business scrambling when enforcement begins. In addition, lawyers who specialize in privacy are in high demand. Waiting until the 11th hour to set up your privacy program may mean missing the opportunity to work with a lawyer who is the strongest fit for your company.
Setting up a robust data privacy program is not just about compliance and avoiding fines. Taking privacy seriously gives you an opportunity to be a business leader. As Axiom lawyer and privacy expert Sue Gomez points out, “To run an effective privacy program, you must understand privacy principles and operate within the structure you create. You can be different and be innovative. Privacy should be embraced as a business differentiator.”
Building an effective privacy program requires leadership buy-in and a commitment to working cross-functionally. As Socheth McCutcheon noted in the case of Verizon, “Privacy is not just about compliance, but doing the right thing for our customers and our employees. It’s not just the privacy office — it’s attorneys who work on products, business units, and leadership who understand that privacy and security is critical and a foundation of everything that we do.”
Axiom’s new guide, Get Privacy Operations Right, outlines the steps to take to begin building or scaling an agile privacy function. It includes guidelines for communicating across teams and building buy-in with leadership, so you can better advocate for the resources you need. Developing an operational approach to privacy requires a cross-functional strategy and data privacy experts recommend companies take the following steps:
- Tackle privacy globally
- Privacy requires close collaboration across departments to be effective
- Identify key stakeholders across your organization who may work with existing privacy frameworks
- Build buy-in and leadership support
- Quick wins, coaching, and communication are key for company leaders
- Define a strategy to keep information about privacy flowing to leadership
- Assemble a privacy team of legal, business, and operations professionals
- For privacy projects, define clear goals, deadlines, and scope of responsibility
- Create an organized privacy work process to ensure progress and build trust throughout the organization
- Communicate regularly with leaders and employees
- Provide regular updates on developments in the privacy space and the progress of the working group
- Create privacy training materials, including FAQs, primers, and workshops specific to each department
- Continue to update and iterate on your privacy solution as regulations evolve
While privacy can feel like a moving target, it’s important to take the first steps and get started. Axiom lawyer and privacy expert Dina Maxwell concurs, noting, “There are certain privacy issues that are universal, and others that are more relevant depending on the business. Privacy compliance is always evolving – but the key is to get started and tackle the most pressing issues first.”
For an in-depth look at building a privacy function and incorporating privacy into your business operations, including insight from global privacy leaders, download Axiom’s free guide Get Privacy Operations Right. This guide harnesses insight from our bench of over 200 privacy lawyers and 250-privacy-related client engagements in 2018 and 2019 alone. Learn how to make privacy a seamless part of your business operations, build your privacy function, and be prepared as regulations and enforcement evolve.
Privacy regulations like GDPR and CCPA present a growing challenge for companies no matter their location. Here’s how legal departments can effectively implement and maintain compliance.
Lawyer Angelo Basu examines the business impact of privacy regulations like GDPR and CCPA.