October 25 – 27 Join us online at the 2021 eMoney Summit from October 25 to 27 as we explore how to provide an authentic planning experience that’s as unique as each of your clients.

Welcome to
Heart of Advice

a new source of expert insights for
financial professionals.

Get Started

Tips specific to the eMoney platform can be found in
the eMoney
application, under Help, eMoney Advisor Blog.

eMoney Logo
Magnifying Glass Icon
Mobile Menu Icon Close Mobile Menu Icon
Arrow Icon

Heart of Advice

Insights and best practices for successful financial planning engagement
Learn more

Back to All Articles

Explore Our Categories

eBook - Deepening Client Engagement Through a Focus on Financial Wellness

READ NOW

Practical Responses to Privacy Regulation

Sarah Miller September 15, 2021

data privacy regulation response meeting

State privacy regulations are rapidly becoming a prominent legal concern for U.S. businesses. Privacy lawsuits against fintech favorites are settling for tens of millions of dollars—the impact of which could shut a company’s doors forever or, at the very least, cause reputational damage.

Businesses are scrambling to get ahead of the laws, stay out of the headlines, and as is often the case as new regulations become effective, are lining up at law firm doors to seek privacy compliance advice.

Staying on top of the state and international laws and their corresponding scope, applicability, and exemptions is confusing and often requires the advice of specialized attorneys or outside counsel who have dedicated resources to research and interpret those laws. It is a full-time job. But even the best counsel cannot help you to analyze the laws’ applicability if you are not organizationally and practically prepared for those discussions.

Here are five ways to plan your privacy conversations with counsel so that they are more proactive, cost-effective, and productive.

1. Know Your Product and Roadmap

It seems like a simple (and obvious) statement, but knowing your product and roadmap are the most important components to privacy law compliance.

Historically, the nature and delegation of work between non-legal and legal employees has kept individuals in their respective lanes. When work shifted from one area to the next it was handed off accordingly, or subject matter experts were called in as needed. Legal handled the legal and product handled the product.

Today, times are changing. The product is either data, made of data, dependent upon data, or integrated with another product that processes data. Each product’s use of that data is dependent upon or responsible for compliance with privacy law. Not only is alignment between the legal strategy and product strategy arguably necessary for legal compliance (i.e., privacy by design), but it is also a strategic advantage.

Those companies who proactively implement the tenets and intent of the privacy laws into their foundational framework will not spend time and money redoing work when new laws are imposed or a continuation becomes effective.

2. Find Your Data

Understanding data use in your product and roadmap, and incorporating legal strategy into business strategy is a great start but the legal analysis for privacy laws can’t begin until you know your data.

One of the reasons that privacy laws are so complicated is that the application of, and compliance with, each state or international privacy law may vary on each data element at a company.

If a company’s entire product is made of data, the implications are significant. For example, a typical financial institution product application may, on a single page, contain names, account balances, account numbers, addresses, market data, proprietary information, transactions, health information, and more. Also consider which data fields contain personal identifiable information (PII).

Determining what your team can or cannot do with that data, as well as the obligations that flow from it, can change from data element to data element. This impacts the product by determining things like whether data can be redistributed or if consumer consent requirements are met. They may also have significant legal implications if, for example, some of those data elements are subject to a claim for damages because of a breach. And that’s just privacy—there are other legal implications we will save for another day.

So how do you start to know your data?

Create a data map and start with the basics:

  • What data bases does your firm have or rely on third parties for?
  • What categories of data does each hold (with a focus on PII as defined by the laws)?
  • Where is the data within those databases sourced from?
  • What categories of data does it contain?

This is a lot of work. But there are also several technological tools that can help you find PII in your organization. Plus, you do not have to know every detail to get the conversation started. Once you have your basics down, your counsel can help advise you on the next steps in accordance with the laws.

3. Write a Policy That Makes Sense for Your Firm

Once you have your product and data foundations you are ready to start preparing for your legal conversations.

Start with your company privacy policy. Update it accordingly from steps one and two and align the intent with privacy law objectives. For example, ensure consumer consent, follow security and data breach protection best practices, and be clear and transparent. Then, start meeting with each business unit to review, edit, and categorize assets containing personal information.

Counsel can provide guidance on applicable state or international laws and clarify language to help to ensure the legal requirements are met.

4. Create an Operational Privacy Plan

Treat privacy like you would any other long-term, ongoing cross functional business project. Create a privacy working group, led by legal (or your privacy office), that completes annual, long-term, and short-term goals that ensure evaluation of, and compliance with, the evolving legal requirements.

This group should also own responsibility of responding to privacy inquiries and implementing operational standards in accordance with the law. Take new laws to the group and ask the team to help understand the implications. For example, your marketing team may use personal identifiable information in a way you never considered. Be open and collaborative, and determine where privacy fits in to the risk reviews or InfoSec questionnaire, because privacy is not exclusively a legal initiative.

Use the team to decide if you can incorporate operational requirements into your existing customer service organization instead of reinventing the wheel. You can document your operational plan to seek counsel’s advice through their review and prioritize initiatives accordingly while making sure the team is held accountable.

5. Train Your People

Circulate and communicate your privacy policy and privacy plan to educate your employees with a genuine effort to explain the implications as opposed to checking the box.

Establish roles within each vertical that has privacy and data stewardship as a job description requirement. This way, individuals within the verticals can serve as a liaison between their business function and privacy and data governance working groups.

Integrate the privacy and data governance roadmap into your legal strategy and ensure the business is on board and understands the closely tied implications of privacy laws and data breaches. Whatever industry you are in, privacy laws now make your organization a regulated entity.

Once you start implementing these foundational standards, prioritization and gaps will become obvious. Use your counsel to help strategize and focus but remember that outside counsel, especially, cannot know the intricacies of your business. Use and value their advice but do not rely exclusively on it for privacy compliance. Check their work product and use it as a springboard to ask questions.

You already know more than you think.

About the Author

As Associate General Counsel, Data Governance and Protection, Sarah oversees the data and privacy legal organization including legal data strategy, data agreements, data governance, and everything privacy related.

You may also be interested in...

financial data privacy

Chief Data Officers, Data Strategy and Risk Mitigation: A Cross-functional Solution

The Chief Data Officer Evolution The nature of data inside companies has changed dramatically over the last 10 years. In… Read More

fee-based planning compliance

9 Compliance Considerations When Switching to Fee-only Financial Planning

The financial planning industry has been steadily moving away from commission-based product sales for decades. Charging clients a fee based… Read More

United States Privacy Laws

United States Privacy Laws: A Legal Evolution

Your name. Your date of birth. Your IP addresses. The video your neighbor took of you winning the hot dog… Read More

CE Webinar - Making Money More Human: The Value of Emotional Intelligence in Financial Planning (1 CFP® CE Credit)

Join eMoney Thursday, October 7 at 2:00 p.m. ET to explore the power of emotional intelligence and the CFP Board's recent change to its principal knowledge topics.

REGISTER NOW

Sign up to have the most popular Heart of Advice posts delivered to your inbox monthly.

Sign up to have the most popular Heart of Advice posts delivered to your inbox monthly.

Heart of Advice by eMoney Advisors

Welcome to
Heart of Advice

a new source of expert insights for
financial professionals.

Get Started

Tips specific to the eMoney platform can be found in
the eMoney
application, under Help, eMoney Advisor Blog.