Why Companies Must Make Privacy Central to Their Business Operations
By Axiom Law
“Operationalizing privacy is important and something businesses need to look at not only as it applies to privacy regulation, but also to general compliance. Companies need to understand where compliance fits into their organization and how it informs their business operations,” says London-based lawyer Angelo Basu. As privacy regulations increase globally, “there’s a suite of issues that need to be looked at, and privacy has lots of touch points operationally and strategically. Companies need to have compliance on a more executive level.”
With a wide range of legal experience in both the public and private sector, Angelo is in a unique position to examine the business implications of proliferating privacy regulations. He offered his insight into how companies can better make privacy compliance central to their operations.
Understanding both sides of the regulation
After nearly 25 years working as a lawyer in government, in-house, and private practice Angelo has seen the wide-ranging impact that changing regulations can have on how companies run their business. After studying law at Oxford, Angelo worked for the government legal service in the UK. There he worked closely with senior ministers and the president of the UK board of trade, where he advised on anti-trust decisions and merger clearances. He then worked as a prosecutor for the UK customs service. Realizing his strength and interest fell into the intersection of government policy and business, Angelo returned to Oxford for a post-graduate degree specializing in regulatory policy, competition, and anti-trust law. He has since built a career focused on how regulatory policies impact businesses on a global level.
While working in-house for an Australian telecom company he traveled to Hong Kong, Tokyo, Australia, New Zealand, and the United States. In doing so, Angelo saw how regulations such as anti-trust and anti-money laundering laws impact global companies. After this experience, he spent ten years working at various UK law firms. Due to his experience in both the public and private sector, Angelo has strategic insight into both how regulators make decisions and how those regulations impact businesses globally.
A new model for being a lawyer
As Angelo moved up the ranks in traditional private practice he found he was moving farther away from the practice of law and the opportunity to be recognized for efficiently producing high-quality legal work. “When you are a business that charges by time, the firm does not value completing work efficiently, and personally I trained to be a great lawyer,” he explained.
Angelo joined Axiom in 2011 and found that it gave him a chance to refocus on legal work. “Because Axiom has people who are really good at and love doing client care it has been an opportunity where I can be valued for actual work I do,” he explained. Working with in-house legal teams he found that he could, “work quickly and get to the heart of the matters versus just making more work. It was refreshing that we could set out and make a decision.”
Lessons learned from GDPR
On a recent engagement with a global engineering business Angelo focused on working with the company’s Chief Privacy Officer on compliance with the European Union’s General Data Protection Act (GDPR), which went live in 2018. Angelo explained that while “GDPR was not a massive change from previous European regulations, the big change and centerpiece of compliance was the fining power of 4 percent of a company’s revenue.” The company already had a global privacy program in place and Angelo worked with the CPO to make sure they could apply the policies they were putting into place for GDPR across all jurisdictions.
Angelo noted that while the company had a formal set of policies in place, the act of enforcing the policies and ensuring they were practical on a business level was another issue. He explained, “It’s one thing to put a set of policies and procedures in place to legally satisfy regulators, [it’s] another to ensure everyone is compliant and [those policies] are incorporated into business operations. It was surprising how different the operating procedures, documentation, [and] training looked in practice than the original, written policies.”
Angelo explained that he helped the CPO revise and streamline their existing privacy policies and procedures to better serve the business on a practical level. For businesses going through the work of repapering their contracts to be compliant with new regulations, Angelo explained, “there’s a lot of background work to make sure those [contracts and policies] reflect the reality of business processes, how people do their jobs, and even business practicalities such as how the company IT network functions.”
Preparing for evolving regulations
As more countries and US states bring privacy regulations online, compliance will continue to evolve. For example, the California Consumer Protection Act (CCPA), which goes into effect on January 1, 2020, “is very different in its theoretical ideas than GDPR,” says Angelo. Given that California is the fifth largest economy in the world, the CCPA could end up causing European regulators to tweak their privacy laws as well.
“This is where there’s a risk for companies from a privacy perspective,” Angelo explains, “will new regulations gravitate more towards GDPR, which will make compliance relatively straight forward, or will the global center of gravity shift towards California or another jurisdiction? We may end up with a load of inconsistent laws, which will require a more fragmented approach and put more risk into business.” It’s especially important, he notes, that companies don’t assume that countries will handle privacy in the same way as the EU or California.
While Angelo acknowledges it's impossible for any one person to know everything about new regulations, he stresses it’s important to understand the legal and political direction that laws are moving and to have specialists focused on major jurisdictions.
The role of Chief Privacy Officer has also become increasingly important. As privacy impacts multiple operational and strategic touch points, Angelo explains that the CPO can ensure that compliance has a voice at the executive level.
Beyond compliance, Angelo advocates businesses take a wider approach. “Build compliance with ethics so failure to comply is a failure to uphold the ethical standards for that company,” he advises. This can be effective “especially if a business wants to incorporate compliance into the company’s DNA. Businesses with strong ethical values tend to outperform their peers, so look at the spirit of what the law intended and work to own it as a business. Ethics isn’t just a manual, but an operation.” Angelo acknowledges this can be a challenge because, “it can be easy to see the privacy function and the increase of work it brings and view it as a pure cost center rather than a question of how we do business better.”
What about Brexit?
For companies based in or doing business with the UK, Brexit raises an additional host of questions around data privacy and regulation. According to Angelo, there are two realistic options companies must consider: Brexit with a formal agreement with the EU or a no deal Brexit.
If there is a “no deal” Brexit and the UK becomes a “third country” in terms of the GDPR, companies transferring data between the EU and the UK must repaper their contracts to show compliance with EU rules. “Internal compliance will be the biggest difficulty,” Angelo notes.
Brexit also will raise long term questions for the way the UK approaches data privacy. “While there’s a benefit to approaching privacy ‘our way’ there’s a compliance cost,” says Angelo. “As jurisdictions like California start passing privacy regulation and the global movement towards privacy continues to grow and competing theories of privacy arise this may shift the direction the UK, and other countries, take on privacy.”
Privacy help is closer than you think
One aspect of working for Axiom that Angelo especially appreciates is the company’s focus on improving businesses processes. Axiom’s lawyers are available to help Axiom’s clients take a new approach to how they conceptualize and utilize legal services.
Navigating shifting privacy regulations can be intimidating and taking an innovative approach to new regulations can be especially so. However, Axiom’s attorneys like Angelo are here to help and support. “Doing what has always been done is easy, but one of the disruptive approaches we can help our clients take is this: let’s get back to principles – why are you doing what you are doing and how are you doing it and how can you do it differently? That approach of questioning and rebuilding requires a great deal of trust, and that’s the mindset we can help with as Axiom attorneys.”
Privacy regulations like GDPR and CCPA present a growing challenge for companies no matter their location. Here’s how legal departments can effectively implement and maintain compliance.
Lawyer Andrew Lupu balances practicing privacy and antitrust law with teaching.
Axiom lawyer Sue Gomez draws from extensive experience in Silicon Valley to outline the nuances of building a privacy function.