Like it or not, privacy compliance is here to stay. Recent legislative developments make privacy compliance a necessary process for most organizations and this will increasingly be the case moving forward. This means that if they haven’t already, companies large and small must begin the process of building a privacy program.
Once you’ve created a privacy program, however, your work isn’t done. The privacy landscape and regulatory requirements are constantly evolving, so your organization needs to stay on top of new developments that could affect your program.
Following are ten tips that your team can use to continuously improve your privacy compliance:
1. Be aware of contractual obligations in data sharing under the GDPR, CCPA, and similar laws.
Privacy compliance isn’t isolated within your organization. If you share data with other organizations for any reason, either as a provider or recipient, your privacy obligations become intertwined with their obligations and their actions. When data is shared, effective privacy compliance requires very tightly controlled contractual relationships. These should define the rights and obligations of the contracting parties.
2. Ensure that in-house counsel and firm lawyers understand privacy compliance issues.
Attorneys must be familiar with privacy compliance case law and the regulatory landscape worldwide. Expertise is also required in privacy impact assessments, document retention policies, and the role of privacy in information governance. When developing contracts with other organizations, lawyers must include privacy compliance considerations.
3. Don’t overlook privacy issues during mergers and acquisitions.
When acquiring an organization, information is often one of the most important assets. Effective management and control of this data, however, is often an afterthought in deals. Poor management of data in M&A situations is always bad, but when it comes to poorly managed personally identifiable information (PII), the legal ramifications can be much worse. During M&A transactions, there must be an orderly transfer and transition process for information assets. Deals and contracts should take information control into account.
4. Include privacy impact assessments as a part of IT upgrades and new system deployments.
If your organization handles PII, you must consider the privacy implications when making a big change to your organization’s information collection practices, modifying an IT system, or deploying a new system. This means conducting a formal privacy impact assessment to ensure that your plans don’t violate privacy rights. Many jurisdictions legally require privacy impact assessments any time an organization contemplates a major change to an information process or system. Failure to conduct one may have serious legal consequences.
5. Develop a sound and defensible document retention policy.
Document retention policies must be developed with privacy in mind, but your organization’s policy must also demonstrate that you are keeping documents “no longer than necessary.” Keeping personal information longer than it’s needed is now a serious legal violation in many jurisdictions. Privacy authorities can and do audit this, and violations can result in substantial penalties. Identifying privacy requirements in all jurisdictions isn’t a DIY research project. Instead, turn to a trusted research partner for help. Since new laws are continually enacted, be prepared to update this research annually, bi-annually, or even more frequently.
6. Stay on top of privacy compliance-related case decisions and regulatory actions.
Often, the best way to figure out how to do what’s right is to learn from others who’ve suffered the consequences after doing it wrong. Every organization’s privacy compliance strategy should be informed by relevant case decisions and regulatory actions. This is one of the best ways to avoid pitfalls that have ensnared others.
7. Consider incorporating “privacy by design” into your compliance activities.
Privacy by design is a concept that regulatory bodies are promoting heavily as a method of managing processes and technologies that deal with personal information. Regulators see this paradigm as a vital path forward in privacy compliance. Keep in mind that privacy by design materially affects everything from policies and procedures to contracts and IT systems configuration.
8. Integrate privacy into your information governance program.
Privacy is one of the key elements in an information governance or IG program. At its core, privacy compliance is about the management of information. A sound IG program is essential to comply with environmental regulations, tax laws, labor laws, and more. Privacy is now a component that organizations must merge into IG plans for all of these legal domains.
9. Monitor worldwide changes to privacy laws.
Around the world, privacy laws are rapidly changing. This means that organizations must continually interpret these new requirements, understand how they are enforced, and update their compliance strategies accordingly.
Privacy compliance is driven in part by regulatory requirements, but it also has moral and ethical underpinnings. In today’s world, customers and companies are scrutinizing their business partners more closely to see whether they behave ethically with respect to privacy. Firms that understand and respect the ethical aspects of privacy enjoy greater organizational buy-in for compliance, as well as higher levels of goodwill among key stakeholders like customers and the public at large.
Privacy compliance is an increasingly complex world and privacy considerations now extend into many aspects of a company’s operations. A continuous improvement mindset is the key to staying abreast of new regulatory requirements and modifying organizational processes accordingly.
To learn more about how Access can help your team manage privacy compliance, Check out our eBook: Data Privacy for the Information Management Professional.