State privacy regulations are rapidly becoming a prominent legal concern for U.S. businesses. Privacy lawsuits against fintech favorites are settling for tens of millions of dollars—the impact of which could shut a company’s doors forever or, at the very least, cause reputational damage.

Businesses are scrambling to get ahead of the laws, stay out of the headlines, and as is often the case as new regulations become effective, are lining up at law firm doors to seek privacy compliance advice.

Staying on top of the state and international laws and their corresponding scope, applicability, and exemptions is confusing and often requires the advice of specialized attorneys or outside counsel who have dedicated resources to research and interpret those laws. It is a full-time job. But even the best counsel cannot help you to analyze the laws’ applicability if you are not organizationally and practically prepared for those discussions.

Here are five ways to plan your privacy conversations with counsel so that they are more proactive, cost-effective, and productive.

1. Know Your Product and Roadmap

It seems like a simple (and obvious) statement, but knowing your product and roadmap are the most important components to privacy law compliance.

Historically, the nature and delegation of work between non-legal and legal employees has kept individuals in their respective lanes. When work shifted from one area to the next it was handed off accordingly, or subject matter experts were called in as needed. Legal handled the legal and product handled the product.

Today, times are changing. The product is either data, made of data, dependent upon data, or integrated with another product that processes data. Each product’s use of that data is dependent upon or responsible for compliance with privacy law. Not only is alignment between the legal strategy and product strategy arguably necessary for legal compliance (i.e., privacy by design), but it is also a strategic advantage.

Those companies who proactively implement the tenets and intent of the privacy laws into their foundational framework will not spend time and money redoing work when new laws are imposed or a continuation becomes effective.

2. Find Your Data

Understanding data use in your product and roadmap, and incorporating legal strategy into business strategy is a great start but the legal analysis for privacy laws can’t begin until you know your data.

One of the reasons that privacy laws are so complicated is that the application of, and compliance with, each state or international privacy law may vary on each data element at a company.

If a company’s entire product is made of data, the implications are significant. For example, a typical financial institution product application may, on a single page, contain names, account balances, account numbers, addresses, market data, proprietary information, transactions, health information, and more. Also consider which data fields contain personal identifiable information (PII).

Determining what your team can or cannot do with that data, as well as the obligations that flow from it, can change from data element to data element. This impacts the product by determining things like whether data can be redistributed or if consumer consent requirements are met. They may also have significant legal implications if, for example, some of those data elements are subject to a claim for damages because of a breach. And that’s just privacy—there are other legal implications we will save for another day.

So how do you start to know your data?

Create a data map and start with the basics:

• What data bases does your firm have or rely on third parties for?
• What categories of data does each hold (with a focus on PII as defined by the laws)?
• Where is the data within those databases sourced from?
• What categories of data does it contain?

This is a lot of work. But there are also several technological tools that can help you find PII in your organization. Plus, you do not have to know every detail to get the conversation started. Once you have your basics down, your counsel can help advise you on the next steps in accordance with the laws.

3. Write a Policy That Makes Sense for Your Firm

Once you have your product and data foundations you are ready to start preparing for your legal conversations.

Start with your company privacy policy. Update it accordingly from steps one and two and align the intent with privacy law objectives. For example, ensure consumer consent, follow security and data breach protection best practices, and be clear and transparent. Then, start meeting with each business unit to review, edit, and categorize assets containing personal information.

Counsel can provide guidance on applicable state or international laws and clarify language to help to ensure the legal requirements are met.

4. Create an Operational Privacy Plan

Treat privacy like you would any other long-term, ongoing cross functional business project. Create a privacy working group, led by legal (or your privacy office), that completes annual, long-term, and short-term goals that ensure evaluation of, and compliance with, the evolving legal requirements.

This group should also own responsibility of responding to privacy inquiries and implementing operational standards in accordance with the law. Take new laws to the group and ask the team to help understand the implications. For example, your marketing team may use personal identifiable information in a way you never considered. Be open and collaborative, and determine where privacy fits in to the risk reviews or InfoSec questionnaire, because privacy is not exclusively a legal initiative.

Use the team to decide if you can incorporate operational requirements into your existing customer service organization instead of reinventing the wheel. You can document your operational plan to seek counsel’s advice through their review and prioritize initiatives accordingly while making sure the team is held accountable.

5. Train Your People

Circulate and communicate your privacy policy and privacy plan to educate your employees with a genuine effort to explain the implications as opposed to checking the box.

Establish roles within each vertical that has privacy and data stewardship as a job description requirement. This way, individuals within the verticals can serve as a liaison between their business function and privacy and data governance working groups.

Integrate the privacy and data governance roadmap into your legal strategy and ensure the business is on board and understands the closely tied implications of privacy laws and data breaches. Whatever industry you are in, privacy laws now make your organization a regulated entity.

Once you start implementing these foundational standards, prioritization and gaps will become obvious. Use your counsel to help strategize and focus but remember that outside counsel, especially, cannot know the intricacies of your business. Use and value their advice but do not rely exclusively on it for privacy compliance. Check their work product and use it as a springboard to ask questions.

You already know more than you think.

DISCLAIMER: The eMoney Advisor Blog is meant as an educational and informative resource for financial professionals and individuals alike. It is not meant to be, and should not be taken as financial, legal, tax or other professional advice. Those seeking professional advice may do so by consulting with a professional advisor. eMoney Advisor will not be liable for any actions you may take based on the content of this blog.

You may also be interested in...