Lawyers and a corporate privacy officer convened to discuss the importance of privacy controls during the "Privacy Engineering ('Privacy by Design'): What Is It & What Do I Need to Know?" panel held on the final day of Legalweek 2020 in New York. 

Bristows partner Robert Bond described privacy by design as designing a product or workflow with regulatory compliance and best practices in mind, instead of retroactively trying to meet compliance rules. 

To be sure, privacy by design isn't solved entirely by tech engineering, Bond noted. Instead, "quite a lot of it is training people in the business to abide by the policy or have an actual policy in place," he said.

Orrick, Herrington & Sutcliffe managing associate Matthew Coleman noted that a privacy approach shouldn't hamper a business's functions, data processing or strategic goals. Along with the policies and protocols proving a company is compliant, privacy by design can be leveraged as a "differentiator" in the marketplace among privacy-minded customers, he added.

But moving toward compliance can be difficult as lawyers wait for California Consumer Privacy Act and General Data Protection Regulation guidance.

"This year is when they are going to unleash it on us," said Stratagem Tech Solutions CEO and founder Amie Taal of the GDPR. "Those cases will provide the legal precedent of how the GDPR will be dealt with by the authorities so we can have case law."

As lawyers wait for case law regarding those new regulations, Fenwick & West technology and e-discovery counsel Robert Brownstone said U.S. government agencies are already stepping up to regulate data practices.

Although there isn't a federal data privacy law in the U.S., Brownstone warned that the Federal Trade Commission is flexing its regulatory authority to verify that companies' privacy notices match their actual practices.

To mitigate data's growing risk, the panel recommended companies map data flows to better manage data subject access requests, and perform data minimization to curb risk. But the best practices for how to provide privacy notices still varies, the panel said.

While the GDPR and CCPA require notices be transparent and "as intuitive as possible," Coleman said every company has to make a decision about how that notice should look depending on how much risk they are willing to take. As such, that "wide approach" confuses consumers.

But from the in-house perspective, drafting a notice that pleases all consumers is difficult, said Slack Technologies Inc. chief privacy officer Megan Cristina. "You are catering to a wide spectrum of people, it's really hard to make one-size-fits all," she said.

Some users are more tech savvy while others are not, which makes feedback regarding updated data policies mixed, she explained.