It would be a stretch to say every data privacy attorney I know is professionally distressed these days — but it’s close.
Most seem to carry the professional weight of a chaotic, intense, evolving legal and regulatory landscape on their shoulders.
Many are overwhelmed by initiatives related to their company’s emerging or established privacy programs. Staffing challenges abound. The causes and potential solutions are many.
State laws just keep coming
New state laws roll out at almost the same frequency as OS updates on my mobile phone. And they’re all slightly different. Even though it’s five years after GDPR, no uniform privacy law in the U.S. appears imminent. By some counts, the number of states that have passed privacy laws is up to 10 and growing.
On June 6, the Florida Digital Bill of Rights was signed into law. According to The National Law Review, the reach of the new law was more conservative than similar laws enacted in Indiana, Montana and Tennessee in that it only impacts businesses with more than $1 billion in gross revenue.
The Texas legislature recently passed the Texas Data Privacy and Security Act, which is expected to go into effect shortly. The thresholds in Texas differ from the Florida law, according to the International Association of Privacy Professionals.
The minimum impact on a legal team is that each new piece of legislation must be assessed and incorporated into their company’s privacy schema. This is to say nothing of the multitude of international developments. It’s a lot to keep track of.
Opt ins. Opt outs. Coverage thresholds. Controllers. It’s enough to send lean in-house legal teams scurrying to find outside help when overcome by the increased business risk.
When risk grows unchecked, it generates fear
“Privacy scares people,” said a senior in-house attorney I spoke with who handles privacy matters on behalf of a large international company.
Why the fear? Simple: The unknown. The reputational risk associated with a bad event is crippling. For any company, but especially for highly public companies, reputation is everything. Trust is vital. One major problem, according to the senior attorney I spoke with, “It can undermine everything.” The breakdown in trust simply can’t be fixed.
So, how do companies deal with the fear? How do they deal with the unknown?
Get ahead of things. Strive to comply. Recognize that people are savvy about their personal data and that there needs to be a higher awareness.
Be preemptive and proactive instead of waiting for things to happen. Make data privacy training accessible to everyone in the legal organization and generate cross-functional awareness.
And as for data itself, narrow the scope. “Less is more,” the aforementioned in-house attorney said. Be strategic in setting up transactions, engagements and third-party relationships. Collect as little data as needed. Use good, broad principles such as these and your life will be easier.
The attorneys I talked to told me their companies are showing more awareness, self-auditing more, understanding their data and being proactive. Business units differ, of course, but generally speaking, a “need to have” standard is winning the day.
What does your privacy team look like?
Like any emerging specialty, there are those attorneys who understandably want no part of it, and there are others who have embraced the challenge.
Privacy, of course, extends beyond the legal department in most organizations, including to IT, Business Technology, Product Teams and Compliance.
As much as anything, the challenge of implementing and maintaining good data privacy hygiene is highly cross-functional. How your company deals with a particular contract or data privacy issue will rightly depend on the complexity and magnitude of the underlying issue.
More and more, as companies seek to reinforce their privacy teams, they’re turning to outside consultants, including interim legal help.
I’ve talked to at least half a dozen GCs and DGCs in the past several months who have identified privacy as an area that they need additional “hands” to help support.
From highly experienced resources that have built programs to more junior resources that can handle the daily grind of privacy impact assessments, interim resources can play a key role in the development and maintenance of a program.