Photo by Fernando Arcos from Pexels.
A single data security incident can have a massive impact on an organization’s reputation and finances — which is why companies should ensure that the data they collect remains private. New regulations such as the GDPR and CCPA, as well as the cunning and gall of cyber hackers, requires every company engaging in data collection to implement rules within its own organization to protect private data. This does not mean merely passing out a manual with a Data Incident Response Plan, but truly changing the corporate culture through an effective data privacy compliance program.
Rockridge® takes a step-by-step approach when helping companies curate their individual data privacy compliance programs. Here are the key elements to get started:
1. Lean In with Leadership
It’s difficult — nay, impossible — to change something as significant in a company’s culture as privacy without first gaining the approval of company leadership. While regulations and their fines for noncompliance are certainly motivating for jumping on board, many companies still hit pause when they realize the cost of compliance, which can range in the tens of thousands (training, new software, legal fees, etc.). There are enough case studies in existence at this point to easily show leadership the true value of new privacy policies and procedures, especially when compared to the financial and reputational risks at stake.
2. Pick a Protection Officer
A Data Protection Officer (DPO) is an individual who manages the privacy controls of an organization and works with officials should a breach occur. This position is required under the GDPR for companies that process certain sets of data. Smaller organizations that are not required to have a DPO may still find value in assigning an individual or team with a set of similar responsibilities. This forward-thinking assignment designates a central point person/team for reporting suspected breaches and suspicious activities that employees, vendors and customers can utilize.
3. Deal with your Data
What data, exactly, does your organization collect? Where is it stored? Who has access to it? Data is not merely information consumers provide to your organization directly, through contact forms and such, but any other information collected, i.e., analytics, notes, etc. It’s not possible to protect data until you can pinpoint the entirety of what is collected. The DPO (or team) should create a data inventory that cites what data is collected, the purpose of the collection, and whether consent was obtained to collect and use the data for the purpose listed at the time of collection.
4. Read the Regulations
Not every privacy law applies to every company. And there’s more laws to deal with other than the GDPR and CCPA, although they might be the furthest reaching. If you are concerned about whether data privacy laws apply to your business, speak to a data privacy attorney who can provide an advisory specific to your business. You can also check out the Rockridge® privacy hub on our website.
Whether certain laws will apply to your business does not necessarily depend on where your business is located or your state of incorporation. You do not have to be in the EU or California for the GDPR or CCPA in order for those laws to reach you. The individuals you collect from, the size of your business, and the categories of data you collect will determine whether privacy regulations will apply to you.
6. Create some Controls
Looking back at the data inventory you have created, you may need to change how your organization stores and secures data, based on the risks of breach. Certain financial or confidential information may need to be stored locally on a secure server, rather than on a cloud. Certain employees may not need to have access to a full data profile, if not relevant to their job duties. Further, depending on the kind and amount of data your organization collects, you may need to invest in cyber insurance as a financial aid to expensive security breaches.
One powerful control metric is to create a Data Incident Response Plan that outlines possible risks and the company’s prepared response. Such a plan would include the steps company employees and leadership should take in the event of a breach, assign responsibilities and tasks to certain individuals within the organization, and list contact information for parties that could assist with a cyber threat (PR firm, law firm, tech consultants, etc.).
7. Train your Team
Privacy is everyone’s responsibility. A company’s culture does not change unless every individual involved in trained for protected privacy.And when it comes to privacy, team training is often the most important element to securing data, because most data breaches are the result of human error.
This piece is so important, in fact, that we’ve created a whole separate article just to discuss it. You can check it out here: 3 Steps to Creating a Culture of Privacy Protection.
8. Check for Changes
Lastly, ensure that your organization is engages with its community and industy to stay abreast of new developments and standard practices under privacy law. Depending on the type of data your organization handles, your DPO may need to meet with company leadership on a regular basis to discuss what’s happening in the realm of privacy and what changes the company should make in response. Further, privacy procedures and policies should be reviewed as often as new data vendors are acquired or new privacy practices are implemented. A change of data collection and usage practices without notice to consumers could result in fines.
Implementing a culture of privacy protection is the wave of the future, especially in a competitive world where data is at the core of every organization. Counsel at Rockridge® can assist your organization with establishing an effective data privacy compliance program that fits your business to ensure that you remain ahead of the curve and out of regulators’ sights.
Rockridge Venture Law® is a certified B Corp law firm embracing the mantra of technology lawyers for good. Rockridge® services include corporate, intellectual property, litigation, M&A, privacy, technology, and venture capital law. Rockridge has been recognized as a B Corp Best for the World and Real Leaders Top 150 Impact Company, and has been featured by Conscious Company Magazine, Forbes, and other top media focused on industry leaders in impact and innovation.
The Rockridge team has worked with Grammy winners, Nobel Prize winners, and world champion athletes to create and monetize distinctive intellectual property assets. Rockridge clients include founders, investors, and multinationals scaling disruptive technologies and iconic brands. Rockridge is headquartered in Tennessee, with satellite offices in Durham, New Haven, and New York.
We’re Building Today’s Company for Tomorrow’s Economy® by leading clients through the dizzying array of information controls, by helping them to develop and monetize proprietary assets, and by enabling their impactful products, programs, and principles.
See case studies on how we’ve helped transformative companies at Rockridge Case Studies.