The 4 Keys to Mastering Data Privacy
One can list seemingly endless steps to mastering your data, but these four are among the most critical components to compliance.
July 02, 2020 at 07:00 AM
7 minute read
The proliferation of organizational data along with the concurrent growth in regulations that govern that data have forever changed how businesses must manage their information. Despite their relative infancy, the EU's General Data Protection Regulation (GDPR) and the U.S.'s California Consumer Privacy Act (CCPA) have already made their mark on companies that have shown lax cybersecurity policies in the form of fines due to data breaches and not responding to consumer data requests in a timely fashion. And as we inch closer to July 1, when the CCPA's consumer rights request provisions come into full effect, many companies may see that they are ill-prepared for the sudden influx of requests they might receive.
Privacy regulations are unlikely to go away anytime soon. For example, the CCPA hasn't fully launched, yet there's already add-on legislation up for consideration this fall. Therefore, it's imperative that businesses that are governed by these regulations—or that might be in the future—learn to master their organizational data. In practice, this means being able to successfully answer the challenges and risks that these regulations present to your business.
The four keys to successfully complying with these new data privacy laws are:
- Knowing your data: what you have, where it is, who can access it;
- Efficiently responding to consumer requests for data;
- Knowing who can access your data outside of your organization (vendor risk); and
- Keeping only the data that serves a business or legal purpose.
Overcoming these four challenges are fundamental in helping you master your organizational data.
|Knowing Your Data
Exterro's 2020 Corporate Legal Leaders Survey found that, for most general counsel and chief legal officers, the biggest challenges they face all have one thing in common: How to defensibly manage their organization's data. In particular, three primary data privacy-related challenges keep GCs and CLOs up at night:
- Preventing a data breach;
- Responding to litigation discovery requests for new data sources; and
- Responding to consumer data requests.
Each of these challenges requires two things: A data management strategy (including a comprehensive and up-to-date data inventory), and enterprise-wide collaboration among different teams. According to the survey's respondents, however, only one-in-six legal departments is tasked with ensuring data is managed in compliance with privacy or litigation requirements. A majority of the time, it's IT—which can present big risks if legal leaders aren't involved in developing the strategy.
Right now, seven-in-10 legal departments are managing their data-related challenges with technology to manage litigation, data privacy, compliance, and cybersecurity. But without a comprehensive data strategy and up-to-date data inventory, GCs and CLOs will find themselves having difficulty mastering the next step.
|Efficiently Responding to Consumer Rights Requests
Three-out-of-five GCs/CLOs are either concerned or very concerned about the CCPA, with good reason: utilizing an inaccurate or outdated data map/inventory simply won't allow for compliance—and many organizations don't practice the data hygiene that would best produce those results.
Talend's GDPR Research Benchmark found that companies most often failed compliance when they lacked a data privacy officer, and when they had an inability to locate data to respond to consumer requests. And in part due to the difficulty in responding to DSARs, 80% of organizations said that GDPR implementation was more difficult than other data privacy or other security requirement compliance, according to research from the Ponemon Institute and McDermott, Will & Emery.
But let's say you already have a well-maintained data inventory at your organization (this is usually rare)—what's next in responding to consumer data requests? Legal teams must have orchestrated workflows that effectively engage the right teams and personnel in the right areas of the business. Without defined processes for managing these consumer data requests, legal teams can leave their business wide open for organizational risk. These risks include…
- Inability to locate consumer data when requested (a data subject access request failure);
- Unsecured transfer of the data back to the consumer (a breach risk);
- Inadvertently giving the wrong information to the wrong person (effectively a data breach); and
- Deletion of material that is under another legal obligation, like a legal hold, or other retention obligation (a spoliation risk).
Knowing What Third Parties Have Access to Corporate Data
Third parties don't often seem to represent the biggest risk at face-value—but the Ponemon Institute finds that it's more common to suffer a breach due to lax vendor security than a direct cybersecurity attack. High-profile breaches aren't uncommon; as recently as February 2020, General Electric's current and former employees were notified that their private details had been exposed due to a breach from a subsidiary of Canon, the camera company.
Knowing your vendors can be seen as an extension of Knowing Your Data. As a relative of the data inventory/map, maintaining a vendor data inventory is the best way to keep an eye on which external actors have access to your data. Ask:
- Do you know what data your vendors are accessing, and whether they're managing it securely?
- Are you re-assessing vendor security practices on an annual basis to ensure they're complying not only with relevant regulations, but your organizational requirements?
Retaining Only Data that Serves a Business or Legal Purpose
Much of the data we store serves no business purpose. And because the CCPA dramatically expands consumer rights with the ability to request remediation of their data—and other copycat laws are on the way—it's best for many organizations to start enforcing retention policies to ensure meaningless (but nonetheless risky) data is deleted.
Keeping data with no business purpose drives risk for two reasons: breaches and litigation. Data you don't have can't be breached, and essential business practices can help mitigate risks from both litigation and the breach provisions of the CCPA and GDPR. And while the CCPA doesn't have a retention schedule for personal information, the GDPR does—meaning that companies can no longer simply keep all of their data for no reason. As we pass July 1 (the CCPA enforcement date), revisiting organizational retention policies—and enforcing them—is now necessary to ensure that rogue data doesn't pop up later on and create more risk.
One can list seemingly endless steps to mastering your data, but the four discussed above are among the most critical components to compliance. Organizations that work to tighten their processes will have a leg-up on those who don't.
Rebecca Perry is the Director of Strategic Partnerships at Exterro, the leader in helping companies manage their information compliantly and defensibly in compliance with data privacy and cybersecurity regulations like the GDPR, NYS DFS, CCPA and others. Rebecca has been with Exterro more than 25 years helping legal, compliance, privacy and IT executives in the areas of information governance, data mapping, data minimization, records retention and third-party diligence. She manages the Alliance Partnership with the Association of Corporate Counsel and builds strategic relationships with leading law firms.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1How Uncertainty in College Athletics Compensation Could Drive Lawsuits in 2025
- 2Insurers Dodge Sherwin-Williams' Claim for $102M Lead Paint Abatement Payment, State High Court Rules
- 3Supply Chain Challenges and Opportunities Under the Second Trump Administration
- 4As Atlanta Partners Moved to Am Law 200 Firms at a Higher Rate in 2024, 2 New Arrivals Benefited
- 5A Tech-Enabled Approach to Professional Development Is the Path Forward for Young Lawyers
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
