Four Steps to Building a Data Privacy Response Plan
The passage last month of an amendment to the California Consumer Privacy Act (CCPA) is a reminder that things move quickly when it comes to data privacy rights. The California Privacy Rights Act (CPRA) expands on the CCPA’s provisions and creates a new state agency to oversee privacy. Moreover, this is just one of dozens of privacy laws and regulations that have been passed across the US and around the world. Some of these cover states or even individual cities while others apply to specific industries like healthcare. Then there is Europe’s General Data Protection Regulation (GDPR) that affects any company doing business there. Nothing is standard. It’s enough to make your head spin!
The good news is that there are a lot of parallels between handling privacy-related matters and what you may already be doing for litigation.
As we head into 2021, it’s worth taking another look at the data-privacy landscape, assessing your organization’s responsibilities, and forming a plan of action.
- Understand your responsibilities. This is common sense but necessary to understand the implications for your organization. Regardless of where you are headquartered, do you do business in a jurisdiction or industry covered by a privacy law? Do you have customers in such jurisdictions? Are you growing and expanding into new markets? There is a lot of nuance in terms of who the laws apply to and what the scope of regulation is. For instance, companies below a certain size may be exempt from some provisions. Start to understand what you need to do to comply by the time regulation takes effect.
- Form an inter-departmental working group. Legal, privacy, and compliance functions will increasingly merge into a single, cross-functional team for handling data-privacy requests. These teams have long operated in silos but will need to work together along with IT and business groups to tackle data mapping for the organization. Everyone will benefit from closer collaboration and shared expertise to determine how different departments are collecting and storing information. There is no one-size-fits-all approach, but industry associations may have best practices or case studies to help you understand how other companies are approaching this process. That means determining what information you have and how you are using it.
- Know what information you’re looking for. Personal information can cover a broad range of data, including things like addresses, financial data, biometrics, geolocation, electronic activity like browser history, and even audio-visual assets. Make sure you have a handle on the range of personal data you might have and be aware that different departments may overlap in the information they collect, or they may have completely different types.
- Establish a consistent approach and pressure-test it. This may be challenging given that various privacy laws themselves are not consistent. But there are still some things you can do, starting with creating a standard way to receive privacy-related requests. Then make sure that you have a consistent approach to processing that intake. Always look at the same data sources, use the same systems to perform your searches, redact the same kinds of information, and report out in a similar format. Implement the same policies and procedures across your organization, communicate them properly, and train people. Put the process through a dry run or other stress-testing to identify and address bottlenecks.
The good news is that there are a lot of parallels between handling privacy-related matters and what you may already be doing for litigation. You have to identify what data you have, collect it, review it for any proprietary information, and then deliver it. That looks a whole lot like the process for legal holds and ediscovery. The systems that handle discovery and review for litigation can also be used for the dual purpose of privacy. This has the benefit of reducing costs, and should also reduce time and effort since you won’t have to learn a new system.
It can be tempting to put data privacy rights on the backburner amid other pressing concerns and until some of the confusion surrounding them gets worked out. But as the regulatory landscape continues to evolve heading into 2021, legal teams should take this opportunity to assess their obligations, determine who is collecting what information, and build and test a process. Establishing that consistent process and facilitating cross-team collaboration now will make you better prepared to handle current and future developments in data privacy.
To learn more about privacy, register for our on-demand webinar, CCPA Compliance: Practical Steps for Building Data Privacy Programs.