Understanding data privacy: A compliance

strategy can mitigate cyber threats

Data privacy compliance in the legal world requires more than just following government

regulations.

Organizations must develop solid data security policies and practices to help prevent

serious incidents including data security breaches involving customers and employees.

Having robust data privacy policies and practices also helps avoid potential lawsuits and

regulatory investigations involving data security. It also provides significant reputational

benefits if an organization can avoid data security incidents.

With the increasing threat environment, your legal team must know your obligations to

protect customer and employee personal data. You must understand the risk of

breaching those obligations, and the security measures needed to remedy any

deficiencies.

Challenges of privacy compliance in today's legal

arena
In the U.S. alone, there were 1139 total data breaches with 174,402,528 records

exposed in 2017 according to the Identity Theft Resource Center. The total costs to a

company are staggering when potential regulatory fines are added to the dollar losses

caused by a breach.
Companies handling data outside of the US must also protect against international data

breaches. A Ponemon Institute report finds that 42% of U.S. corporations have not

taken steps to prepare themselves for an international data breach.

Deciphering the gamut of US and international privacy laws can be bewildering

especially because privacy laws often cover different data sets. For example, the Health

Portability and Accountability Act (HIPAA) protects US health data and the General

Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) (effective May 25,

2018) broadly protects personal data processing of EU individuals.

Many U.S. legal and compliance departments are not familiar with the intricacies of data

privacy laws or how to comply. Moreover, as laws become more numerous and

expansive, the risks of penalties for non-compliance increases dramatically.

An international effort
Europe has taken the lead in data protection and privacy. The overarching GDPR

imposes stiff fines on companies for non-compliance such as unlawful processing and

disclosures of personal data. Australia’s Privacy Act, Argentina’s Personal Data

Protection Law, and Canada’s Personal Information Protection and Electronic

Documents Act (PIPEDA) are further examples of countries with comprehensive data

protection laws. In the United States, a patchwork of privacy laws exist at the federal

and state level based on industry and types of data.

Legal and compliance departments must determine which laws and regulations apply at

the state, national, and international level. Where do you begin?

Set up a systematic compliance effort for your
organization or firm
A good framework that guarantees data privacy for your clients and employees will

have these components:

Having an Overall Compliance Strategy

Many organizations do not have a comprehensive, integrated, measurable, and

centralized strategy for achieving data privacy compliance. This is achieved by having a

high-level set of principles and documentation defining measures the organization will

take with respect to personal data (as defined by applicable laws). All key stakeholders

and areas in the organization must be represented.

Having Compliance Subject Matter Experts (SMEs)

No one can be an expert in the myriad of regulations needing compliance. Assigning

and training SMEs to be experts for a specific regulation such as HIPAA or GDPR is

one option. This strategy ensures a single source of expertise to develop legally

compliant policies and practices. Dedicated SMEs can be the drivers of all compliance

documentation in your area..

Inventorying and Assessing Personally Identifiable Information (PII), or Sensitive

Personal Information (SPI)

Personal data must be identified and tagged when it is collected. and companies must

provide a method to track it. This will help you locate and appropriately protect personal

data in accordance with legal and recommended standards.

Establishing Data Protection Policies and Procedures

A privacy compliant organization provides solid administrative, technical, and physical

security safeguards to ensure confidentiality, integrity, and availability of data. This

includes the effective ability to detect and prevent unauthorized or inappropriate access

to data. Information security must constantly be assessed, monitored, and updated to

meet new threats. Data sharing must also have a strict set of controls and policies.

Developing a Response Strategy and Plan

No system is perfect despite full adherence to compliance policies. Cyberattacks and

data breaches continue to outsmart some of the best systems. The impact of an

intrusion can be mitigated through an effective data breach response plan and

escalation process. Employees responsible for breach response should be trained on

these plans and the use of escalation channels. The corrective actions in the response

plan must be implemented and documented as proactive preventive measures against

a repeat incident.

Keeping Proper Compliance Documentation

Compliance plans and processes should be properly documented. A variety of content

management systems are available such as Microsoft SharePoint, OneDrive for

Business, and others to house and track all documents, reports, and records. An

employee dedicated to managing document security and compliance is ideal.

Guaranteeing Proof of Compliance

It's not just enough to know you are data privacy compliant. You must be ready to

present your conformance for external or internal inquiries. Compliance should be

clearly verifiable & readily accessible through reports and documentation. Your

organization should have a process for reporting non-compliance as well as a clearly

defined escalation path. Continual adherence to confidentiality principles should be

verified through appropriate monitoring, auditing, and use of controls.

Fast forward data privacy compliance concerns

Whole new dimensions of the technology and business landscape are emerging that will

compound the issues involved in protecting personal data. Big data and its huge

datasets will pose problems for controls and management. International data transfers

have increased exponentially and will require new security measures in networks and

Internet infrastructure. On the legal and regulatory horizon tighter consent requirements

are emerging. Individuals will have increased control over what personal data is used

and how. The GDPR has many U.S. companies still needing to understand how the

regulation applies to them and what new technologies they need to be compliant.

Protections and challenges revolving around the use of private information will only

increase in 2018 and beyond. By fully understanding the legal landscape affecting

personal data thoroughly, and adopting a comprehensive compliance system to

conform with it, your legal team can know it's fully meeting its data privacy obligations.

Use Practical Law resources to fully understanding the legal landscape affecting

personal data, and adopt a comprehensive compliance system to conform with it to

allow your legal team can know it's fully meeting its data privacy obligations.