Navigating a Stricter Privacy Regulation Framework
By Axiom Law
“Privacy laws are getting stricter everywhere, and they have companies very concerned,” observes Atlanta-based Axiom attorney Virginia. With certifications and extensive experience in international privacy law and cybersecurity, she is well-equipped to help companies around the globe navigate the choppy waters of privacy legislation. Virginia joined Axiom in 2017 after working at companies such as AT&T, Equifax, and the American Cancer Society, as well as running her own privacy consultancy.
At Axiom, she has worked on a number of privacy-focused engagements, including her current engagement at a FinTech company. As companies work to prepare for the implementation of CCPA in 2020, Virginia stresses that communication between business units, reviewing and understanding how data is transferred to third parties, and training employees on the importance of privacy is critical.
A passion for law and art history
Virginia was exposed to law at an early age. Her father is a corporate lawyer who defended many large corporations and would talk about cases at the dinner table. “He would present the plaintiff’s and defense’s side and discuss,” said Virginia. “I heard both sides of many cases growing up.”
Virginia attended college at Sewanee, the University of the South, where she studied art history. After an internship at the Smithsonian turned into a job in public programs at the National Museum of American Art, Virginia considered going back to school for a PhD in art history. Her boss at the time talked her into going to law school instead, with the idea that she would move up in the museum world. However, after attending law school at the University of South Carolina, she decided to pivot away from museum law and build her law career in Atlanta.
Early expertise in data privacy
In Atlanta, Virginia began her corporate career at AT&T, where she developed a strong base in technology. She also worked at Equifax and developed a strong basis in privacy law, as “the Equifax work was 99% privacy-related, because it was so heavily regulated on consumer reports.” In addition, she felt cybersecurity would be a strong supplement to her privacy experience. “You can’t really separate them,” Virginia points out.
Virginia received her CIPP certificate in both EU and US privacy law, and a certificate in cybersecurity from Georgia Tech. She worked in the Georgia Tech security lab for several years, as well as at the American Cancer Society, and founded her own privacy consulting business.
Gaining a variety of privacy experiences and expertise at Axiom
Since Virginia joined Axiom, she has worked full-time with a variety of clients and an international scope of work. “It’s been really good quality of work,” she notes. “I love the Axiom model, because running your own practice requires a lot of networking and a lot of work to get a project here and there. With Axiom, it’s great, because they’ve got the big clients, and I haven’t had any downtime.”
Since joining Axiom, Virginia has been focused on privacy law. She has worked on projects related to GDPR, CCPA, and international privacy laws, including those in China, India, South Korea, as well as in Latin America and Canada. She’s been especially focused on two major aspects of privacy: cross-border data transfer, and new product development.
“Who knew one day I’d be an expert at Chinese law?” she remarks. “I love going project to project and coming in, offering my expertise, and helping the company. I learn more, and I love the project aspect of working at Axiom. Each engagement really broadens my knowledge.”
Helping companies work within stricter privacy laws
For many companies, when it comes to privacy and security, third-party oversight is an ongoing issue. “Vendor management and oversight present many challenges, because that’s where your data is going out the door,” she explains.
As companies prepare to comply with increasingly strict data privacy laws, Virginia recommends identifying a privacy point person for each business unit to manage vendors, ensure privacy protocols are followed, and train employees in the importance of privacy. “You have to have an accountable person in each business unit who is responsible for privacy, working closely with the privacy legal team and privacy compliance team,” explains Virginia.
A privacy point person can also ensure that a company’s privacy policies and actions align. “A lot of times you’ll see notices that say ‘we do this, we do that,’ and then you talk to the business and they don’t,” Virginia observes. “That’s a good example of aligning the business units with the privacy experts, to make sure you’re going down the same path.”
Employee training is also crucial for ensuring ongoing privacy compliance. Virginia worked with one of her clients to build a privacy program from start to finish, and brought in a third party to provide training to everyone at the company for whom privacy was relevant. “Training is crucial so that people understand what privacy and security is and why they are important,” she says. “Privacy and data security are two sides of the same coin, and they need to be joined at the hip.”
Preparing for the “unruly” legislation of CCPA
January 1, 2020, the date that CCPA goes live, is quickly approaching, and presents a formidable challenge for many companies. “It’s very difficult because it’s so broad,” she explains. “It all goes to the consumer’s ability to opt out of the ‘sale’ of their data. However, ‘sale’ is so broadly defined.” For companies working to comply with CCPA, previous compliance with GDPR will give them a leg up. While CCPA and GDPR differ in many ways, “companies can leverage the data mapping and background research into data flow they had done for GDPR for CCPA,” suggests Virginia.
She also points out that more US states are considering data privacy legislation, and practically, it’s difficult to single out only consumers in California – so it makes sense for CCPA compliance to apply to all US consumers.
While the privacy landscape continues to shift, experienced lawyers like Virginia can help companies bring order to chaos and understand how to build on existing privacy frameworks, and can advise on how to incorporate privacy into their daily operations.
Whether your company needs help preparing for CCPA, you need support for an existing privacy program, or you are a privacy lawyer who wants to expand your skill set with interesting, engaging work, get in touch with us at Axiom.
Lawyer Andrew Lupu balances practicing privacy and antitrust law with teaching.
Legal experts share actionable tips for in-house counsel to reinvigorate their purpose and job satisfaction in law.
Lawyer Sneha Pathak has built a dynamic career in contracts and Intellectual Property law through her Axiom engagements.