Beyond the GDPR and CCPA: Leveraging Data Privacy Strategies to Comply with Multiple Regulatory Mandates

Episode Notes

Transcript

Robert Half Legal Report

Beyond the GDPR and CCPA: Leveraging Data Privacy Strategies to Comply with Multiple Regulatory Mandates

11/08/2019

 

Intro: Welcome to the Robert Half Legal Report, where we discuss current issues impacting the legal profession, related to hiring, staff management and more, with leading experts in the field.

 

Robert Half Legal provides lawyers, paralegals and support staff to law firms and corporate legal departments on a project and full-time basis. The Robert Half Legal Report is here on the Legal Talk Network.

 

[Music]

 

Charles Volkert: Hello everyone and welcome. I am Charles Volkert, Senior District President of Robert Half Legal and the host of our program. Our guest today is Joel Wuesthoff, Managing Director of Consulting Solutions with Robert Half Legal, where he provides leadership and guidance to clients on information governance, compliance, eDiscovery and other legal service solutions.

 

A former practicing attorney, Joel is a certified information systems security professional, a member of the International Association of Privacy Professionals and an adjunct professor at the University of Maine School of Law. Welcome to the show, Joel.

 

Joel Wuesthoff: Hey Chad, great to be here, looking forward to our conversation.

 

Charles Volkert: Excellent. I know our audience is looking forward to your expertise. Our discussion today is designed to address a key business challenge that is how can organizations stay current on rapidly changing security and privacy laws? As countless companies work to remain compliant with the European Union’s General Data Protection Regulation or the GDPR, many are also preparing for obligations set forth by the California Consumer Privacy Act also called the CCPA, which will become law in January 2020.

 

At the same time, they are grappling with the many new security and privacy laws being introduced by jurisdictions throughout the US, in Canada and abroad that are raising the bar to safeguard individuals’ information and provide consumers with more control of their personal data.

 

Today, we’ll be discussing these strategies and how to develop and maintain a comprehensive data privacy compliance framework as well as how to integrate security and privacy practices into an organization’s overall risk management and operational infrastructure.

 

Joel to start, can you outline the key steps involved in building and managing a comprehensive data privacy compliance framework?

 

Joel Wuesthoff: Absolutely. So let me start with a few practice pointers. Probably the first thing that a company needs to do is decide what their framework will be and when I say framework, I’m talking about the decisions around jurisdictions, the size and scope of a company’s international and domestic footprint and their risk tolerance.

 

When you start talking about risk tolerance, you start talking about the obligations that a statute imposes on a company and the risks of activity and the data that needs to be quantified and qualified. These may be industry specific or company specific but in any event, they must be designed from a particular point of reference.

 

A third practice pointer would be the idea of documenting policies. This includes the identification of policies i.e., do they even exist and are they sufficient to address the company’s practices.

 

Next, I would take a look at getting senior management endorsement. Without a senior champion in the organization, not much will be accomplished or the initiative will be received perhaps in a negative light or without the necessary resources assigned. This is really a first step in overall governance for an organization.

 

Next may be a follow-up for my previous point is establishing the compliance team that would include HR, IT, legal compliance experts. Part of the success factor on this would be assigning roles and responsibilities and mandating accountability through regular reporting at checkpoints.

 

Once you have that committee set up, you’ll certainly want to do some implementation work, which include testing and reviewing both the practices and procedures that you put in place within your own company but also third parties.

 

While appointed time measurement is helpful, ongoing testing and validation is honestly what turns a project in an effective program and part of that monitoring would include training, communication and in particular, communicating your compliance requirements to employees throughout the organization.

 

Secondly, I’m monitoring the ongoing risks as you’ve defined them and then finally auditing the practices, procedures, and roles or responsibilities that you’ve defined and adjust as needed.

 

Charles Volkert: That’s a great list and framework Joel. Obviously, a lot of moving parts and a lot of things to keep in mind, I’m sure our listeners appreciated that detail. How can organizations Joel effectively integrate their security and privacy practices into their overall operational infrastructure and risk management framework?

 

(00:05:07)

 

Joel Wuesthoff: And I think the key point Chad is the word overall, because this can’t be done in isolation or in silos, data management systems for regulatory compliance have to be done from a holistic perspective applied across the companies, many functional areas in order to be the most effective.

 

And so the way to get to that point is identifying, formalizing and appointing typically a Data Protection Officer or a Chief Privacy Officer who will champion, who will drive, who will audit, who will assess all the various moving parts that would be required as part of that compliance program. Without a trained and resource to support those various moving parts and work streams and that kind of senior executive level, the chance of failure is exponentially increased.

 

Charles Volkert: Very interesting. So Joel, as new data privacy regulations are introduced, what’s the most effective process to identify new requirements and incorporate appropriate compliance solutions into an organization’s existing framework and maybe secondarily, how can an organization leverage data policies and processes to comply with requirements from multiple jurisdictions?

 

Joel Wuesthoff: Probably the best place to start is understanding the scope and nature of the privacy obligation, i.e., what is the statute in the particular jurisdiction. The compliance team has to thoroughly examine those regulations, identify and/or create checklist for each regulatory requirement and then direct an individual or team to keep those checklists up to date.

 

Secondly, I’d say that one should identify, maybe isolate the areas of the company that are most impacted by that obligation. This may take the form of creating a roadmap, noting each requirement and a relevant risk assessment. It may also involve centralizing policy and procedures and enforcing and maybe reinforcing communications and training with robust training platform.

 

Certainly, determining actions, needed to comply with the obligation across each business function will be a critical piece of that compliance success. What we see a lot of times is that you may have a good plan, but operationalizing it will be where companies failed to deliver, and that sometimes is the thing that makes or breaks the compliance exercise.

 

The last two points I would mention would be certainly identifying systems, procedures, policies that are already in place that satisfy the obligations that gives you a baseline to identify additional privacy activities that would be required.

 

As a follow-up to that, you may want to identify additional systems, procedures or policies as you start to roll out new solutions, new technologies, new offerings to your end clients.

 

And finally as I said before, certainly testing, monitoring, reviewing and training against those standards is an ongoing requirement. So we’re not just looking at this as kind of a one-off. It’s an ongoing programmatic approach to long term compliance.

 

Charles Volkert: Now Joel, you had mentioned in some of your previous comments some titles, positions within companies and we know some privacy regulations today such as the GDPR compel organizations to appoint a Data Protection Officer depending on certain criteria.

 

How can a company determine it if a Data Protection Officer or DPO is warranted and regardless of the regulatory requirements has it become a smart decision to appoint such an expert to direct the critical data privacy function within an organization?

 

Joel Wuesthoff: Absolutely. So whether or not you choose a DPO, a Data Protection Officer or a CPO, a Chief Privacy Officer, the point is establishing a culture, a role, and an escalation path for companies’ compliance obligations. So the GDPR to your point requires a DPO, a Data Protection Officer in any organization that is a public authority or is a company that carries out certain types of large-scale processing activities.

 

And I’ll tell you across the last three or four years we’ve been dealing with multiple companies, we are trying to make exactly that decision. It may be that they do not choose the DPO role, which is a role designed to ensure that the organization processes personal data in a compliant manner and monitors the usage and processing of that data consistent with the ongoing privacy obligations.

 

They may choose to have the DPO fill the role or they may choose to have another role, the Chief Privacy Officer doing that. What I’ll say at a very high level is that the DPO role is one that is a statutory creation and has some independence attached to it.

 

So if you do appoint that role, that individual have a certain level of autonomy, regardless of the official title it’s vital that all organizations assigned dedicated accountable experts or team to direct data protection strategy.

 

(00:10:03)

 

And that will ensure sustainable compliance and again, the monitoring risk analysis and training message that I’ve continued to try to reinforce here.

 

Note that the appointment of the DPO is not something to take lightly. Some companies on their activity must appoint a DPO, others it’s not obligatory and you need to consider carefully the potential impact of the appointment given the independence required under the statute.

 

Charles Volkert: Great perspective Joel. Very interesting. Well we have much more to discuss about managing the evolving data privacy regulations but first it’s time for a quick break.

 

[Music]

 

Advertiser: To find, hire, and retain the best legal professionals, it’s critical to have a sound hiring strategy in place. Robert Half Legal works with law firms and corporate legal departments to create effective staffing plans that can adapt to changing workload levels, realize significant cost savings, and improve the overall management of human resources.

 

We offer a wide range of resources to assist hiring managers and job candidates, including our Annual Salary Guide, industry-leading workplace research and valuable interactive tools. For more information, call us at 1-800-870-8367 or visit roberthalflegal.com.

 

[Music]

 

Charles Volkert: Welcome back to the Robert Half Legal Report. I am Chad Volkert and with me today is Joel Wuesthoff, Managing Director with our company’s Legal Consulting Solutions practice.

 

We’ve been discussing strategies to help companies stay ahead of the curve and adjust data privacy and security practices to manage the growing volume of data regulations.

 

Beyond the potentially significant financial penalties for non-compliance Joel, why should organizations focus on developing a strong corporate culture regarding data privacy?

 

Joel Wuesthoff: Well to address your first point, the financial penalties are substantial. We can’t put those aside but in terms of developing a strong corporate culture, it’s absolutely important for employees to recognize and understand why the protection of client’s personal information is a priority to help reduce risk and drive data privacy culture.

 

From a bigger picture, a comprehensive data privacy program offers the opportunity to improve customer trust, strengthen company reputation and in fact gain competitive advantage on a topic most important to customers.

 

Charles Volkert: So how can organizations stay current on rapidly evolving data privacy and security obligations?

 

Joel Wuesthoff: So there are a few things that a company can do. Certainly appointing an appropriate manager a team with responsibility, for monitoring compliance regulations globally would be an important first step.

 

Secondly, conducting ongoing research on business privacy news and headlines, subscribing to consumer privacy news feeds, privacy’s association newsletters, monitoring government websites for privacy updates and finally, participating in consumer privacy workshops. There are a lot of different privacy oriented industry groups that one can be a part of and I think benefit substantially from.

 

Charles Volkert: That’s great. And besides the CCPA, are there other particular privacy regulations that companies should begin monitoring today?

 

Joel Wuesthoff: Well I think what we’ve seen, certainly this year in 2019 and we’ll see in 2020 is a development of a number of state specific privacy laws, certainly as you mentioned the CCPA is front and center.

 

Nevada has a new law, Maine has the Maine Act to Protect the Privacy of Online Consumer Information. There are a number of different states as many as 20 who have developed privacy oriented laws and then there’s certainly New York State which does have privacy legislation in queue, did not make it through committee but it will likely come back in the next session that given the size of New York and the impact it will have. It will likely drive many decisions around privacy regulations and a few others that I’ll mention Massachusetts, Texas and Washington State are all different types of laws that are either privacy centric, security centric or both and regardless of which one of those it is, they’re both sides of the same coin and so those are things that our clients have to be thinking about.

 

Charles Volkert: Great information Joel. Unfortunately, we’ve reached the end of our program. I certainly want to thank you Joel for joining us today and sharing such valuable insights.

 

Before we close, how can our audience contact you and where can they obtain more information.

 

Joel Wuesthoff: So pleasure to be on the panel with you Chad. My information is as follows, my email is [email protected].

 

(00:15:00)

 

Charles Volkert: Great and our listeners can also reach me at [email protected]. And you can also visit the Robert Half Legal website for additional information on legal career and management resources as well as data privacy including our latest Salary Guide for legal professionals at roberthalflegal.com.

 

Thanks again Joel and to our audience for listening today. Join us next time on the Robert Half Legal Report as we discuss important trends impacting the legal field and legal careers.

 

[Music]

 

Outro: The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Robert Half Legal, Legal Talk Network, or their respective officers, directors, employees, agents, representatives, shareholders, or subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.

 

[Music]

 

Thanks for listening to this podcast. Robert Half Legal connects highly-skilled candidates with the best positions in the legal profession. If you liked what you heard today, please remember to rate us in Apple Podcasts. Also, follow Robert Half Legal and Legal Talk Network on Twitter or Facebook.

 

Join us again for the latest information in the next edition of the Robert Half Legal Report, here on the Legal Talk Network.

 

Robert Half is an equal opportunity employer, including minorities, females, people with disabilities and veterans.

 

[Music]

 

Continue Reading