Professional Documents
Culture Documents
Compliance Strategy
Compliance Strategy
regulations.
Organizations must develop solid data security policies and practices to help prevent
serious incidents including data security breaches involving customers and employees.
Having robust data privacy policies and practices also helps avoid potential lawsuits and
With the increasing threat environment, your legal team must know your obligations to
protect customer and employee personal data. You must understand the risk of
breaching those obligations, and the security measures needed to remedy any
deficiencies.
exposed in 2017 according to the Identity Theft Resource Center. The total costs to a
company are staggering when potential regulatory fines are added to the dollar losses
caused by a breach.
Companies handling data outside of the US must also protect against international data
breaches. A Ponemon Institute report finds that 42% of U.S. corporations have not
especially because privacy laws often cover different data sets. For example, the Health
Portability and Accountability Act (HIPAA) protects US health data and the General
Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) (effective May 25,
Many U.S. legal and compliance departments are not familiar with the intricacies of data
privacy laws or how to comply. Moreover, as laws become more numerous and
An international effort
Europe has taken the lead in data protection and privacy. The overarching GDPR
imposes stiff fines on companies for non-compliance such as unlawful processing and
Documents Act (PIPEDA) are further examples of countries with comprehensive data
protection laws. In the United States, a patchwork of privacy laws exist at the federal
Legal and compliance departments must determine which laws and regulations apply at
centralized strategy for achieving data privacy compliance. This is achieved by having a
high-level set of principles and documentation defining measures the organization will
take with respect to personal data (as defined by applicable laws). All key stakeholders
and training SMEs to be experts for a specific regulation such as HIPAA or GDPR is
one option. This strategy ensures a single source of expertise to develop legally
compliant policies and practices. Dedicated SMEs can be the drivers of all compliance
Personal data must be identified and tagged when it is collected. and companies must
provide a method to track it. This will help you locate and appropriately protect personal
includes the effective ability to detect and prevent unauthorized or inappropriate access
meet new threats. Data sharing must also have a strict set of controls and policies.
data breaches continue to outsmart some of the best systems. The impact of an
intrusion can be mitigated through an effective data breach response plan and
these plans and the use of escalation channels. The corrective actions in the response
a repeat incident.
Business, and others to house and track all documents, reports, and records. An
It's not just enough to know you are data privacy compliant. You must be ready to
compound the issues involved in protecting personal data. Big data and its huge
datasets will pose problems for controls and management. International data transfers
have increased exponentially and will require new security measures in networks and
Internet infrastructure. On the legal and regulatory horizon tighter consent requirements
are emerging. Individuals will have increased control over what personal data is used
and how. The GDPR has many U.S. companies still needing to understand how the
regulation applies to them and what new technologies they need to be compliant.
Protections and challenges revolving around the use of private information will only
increase in 2018 and beyond. By fully understanding the legal landscape affecting
conform with it, your legal team can know it's fully meeting its data privacy obligations.
Use Practical Law resources to fully understanding the legal landscape affecting
allow your legal team can know it's fully meeting its data privacy obligations.