Privacy Is Big, Complicated and on a Shorter Clock Than You Think
Legalweek's "GDPR& CCPA are Fueling High Demand for On-Point RegTech Solutions" took on the expansive modern privacy landscape while offering some insights and tips on compliance.
February 04, 2020 at 01:59 PM
3 minute read
There wasn't an actual show of hands during Legalweek New York's "GDPR & CCPA are Fueling High Demand for On-Point RegTech Solutions" session Tuesday, but the vast majority of the audience seemed to be well aware of the European Union's General Data Protection Regulation. Still, as rhetorical as the initial question may have been, it did serve as a solid jumping-off point for a freewheeling discussion privacy, compliance and —for the briefest of moments—Congress.
Here are four major takeaways from the discussion:
|About This Whole Privacy Craze…
It's here to stay. According to Anju Khurana, a panelist and director and head of data privacy and protection at BNY Mellon, there are presently more than 100 jurisdictions with privacy laws. Some—like the GDPR—are even extra-territorial, meaning that they apply to companies based outside the country's sovereign borders. The U.S., meanwhile, presents its own complications since individual states are leading the privacy charge in the absence of an overarching federal law. Kenneth Rashbaum, a partner with Barton, advises clients not to wait for a national regulation before starting their compliance efforts. "Waiting for Congress is like waiting for Godot," he said.
|There's More That Unites Than Divides
So yes, there are many, many privacy laws that a single company may find itself having to balance, but the good news is that many of them share some common principles that more or less circle under the umbrella of data subject rights. Rashbaum said that clients typically don't want to know the ins and outs of each in particular law, instead preferring a concrete action plan for compliance. But what might such a plan look like? Rashbaum indicated that privacy policies are typically drafted towards common pillars found in each of the applicable laws, with appendixes built in to cover any outliers or particulars.
|Compliance Is Not One and Done
Courtney Stout, chief privacy officer at S&P Global, framed compliance as an ongoing effort that requires constant evaluation. "I don't know that you can ever always be 100% compliant," she said. Complicating matters further can be the data subjects themselves. Stout noted that usually when people contact a business about how their data is collected or used, they may already be in an angry state of mind. "Individuals will often file a compliant with a regulator at the exact same time they notify you," Stout said.
|It's Possible to Do Too Much Data Mapping
With all this talk of privacy laws, companies may feel the sudden and inexplicable urge to engage in some sort of preparation. Trust that instinct. Rashbaum urged organizations to implement a decision tree so that when a breach happens, getting the right people on the phone involves less frantic shuffling of the company directory. Putting together a data map—basically an outline of where all an organization's data is stored—is another step in the right direction if done right. Khurana said that data maps should be sure to correlate to specific individuals so that it's also easier to execute data subject access requests. However, if a company is of notable size, it may be worth it to determine which divisions are actually impacted by a given privacy law before roughing out a data map. "I think it should be surgical, I think it should be targeted and I think it should start once you know what your legal obligations are," said Tess Blair, a partner at Morgan, Lewis & Bockius.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
