On Nov. 1, 2020, California voters passed Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA). Beyond establishing new and comprehensive compliance requirements, the regulation broadens the definition of businesses bound by the law and creates a privacy enforcement agency that’s expected to be stricter and more defined than before. While the CCPA remains in effect until superseded by the CPRA Jan. 1, 2023, impacted companies are already starting to study additional requirements imposed by the CPRA and address where their privacy practices must change.
Our speakers examine key requirements that differ from the CCPA, new obligations it introduces, higher penalties for non-compliance, businesses impacted, both within and outside the state, and more. They discuss a systematic, step-by-step approach to review existing privacy processes – for example, dealing with privacy notices, disclosures, retention schedules, data minimization and limitation – and identify areas where changes are required. They also offer strategies to leverage practices to comply with the new privacy law as well as requirements from other jurisdictions.
Robert Half is not a law firm and does not provide legal representation. Robert Half project attorneys do not constitute a law firm among themselves.
Intro: Welcome to The Legal Report From Robert Half, where industry-leading experts discuss current hiring and practice management issues impacting the legal profession. Robert Half is a premiere provider of talent and consulting solutions for the legal field. The Legal Report From Robert Half is here, on the Legal Talk Network.
Charles Volkert: Hello, everyone and welcome. I’m Charles Volkert, Senior District President of Robert Half which offers legal talent and consulting solutions and the host of our program. Here with me is Dan Hansen, Managing Director of Protiviti. Dan leads Protiviti’s Security and Privacy practice in the San Francisco Bay Area. Also joining us today is Joel Wuesthoff, Managing Director for the Legal Consulting Solutions practice at Robert Half. A former practicing Attorney, Joel is a certified information systems security professional and a certified information privacy professional. Dan and Joel, welcome.
Dan Hansen: Thanks, Chad. Good to be here.
Joel Wuesthoff: Likewise, Chad. Very nice to be here too.
Charles Volkert: Excellent. Well, since the European Union’s general data protection regulation took effect in 2018, we’ve seen a ground swell of laws introduced to protect consumers’ data and privacy. Today more than 100 countries around the world have put privacy measures in place and dozens of jurisdictions throughout the United States have passed or are currently considering privacy legislation. Of particular note are privacy regulations in California. The California Consumer Privacy Act or CCPA, a law that extends significant privacy rights to its residents, and Proposition 24 known as the California Privacy Rights Act of 2020 or CPRA. Among other actions, the CPRA further expands privacy rights, establishes a new enforcement agency, and creates new protection requirements, and even more.
Today we will take a close look at the CPRA, including new obligations it introduces, key requirements that differ from the CCPA, and the broad range of businesses it impacts both within and outside the State. We’ll discuss important actions that companies should take now to review existing privacy processes and identify where changes are needed. We’ll also explore the strategies to leverage practices to comply with the new privacy mandates, as well as obligations from other jurisdictions.
Joel, to start, can you provide highlights of the CPRA and explain how it will impact consumers and affected businesses?
Joel Wuesthoff: Yes, Chad. So this was on the ballot for the November 2020, and it had a lot of support, passed with 56.2% majority. It essentially introduces a stricter privacy law than CCPA laid out. It’s essentially a redo or an update of CCPA. It was brought forward as Prop 24 to just but many including the primary backers of the Act felt to be attempts to weaken the original CCPA through the legislative process and amendments. So as the citizens’ referendum, the privacy protections to consumers are much harder to curtail. One curtail them through amendments, but not to contravene any of the core protections.
So at a high level, as you mentioned, the CPRA offers additional privacy rights to California consumers, including expansion of opt-out rights regarding how businesses can share personal information. It also augments security requirements and puts in place rules for data minimization and data retention. It has stricter contractual requirements for business’ external vendors and related ecosystem partners and it creates a new agency charged with enforcing the act including the ability to audit companies. And one more thing I’d say is that it essentially absorbs the AG’s rulemaking authority and gives a new enforcement agency the right to issue subpoenas.
Dan Hansen: Yeah. I would also add, Joel that this becomes effective early 2023. So there is this kind of interim period where everyone’s looking at it, everyone’s trying to absorb what’s in the current law. Modifications are being considered around that, but there are provisions that apply to personal data being collected starting January 2022. So, while there are likely modifications on the way, I wouldn’t wait to get your house in order if I were an organization. And kind of the side point or maybe it’s really the main point of why the CPRA and why CCPA in general? I mean, this is all about individual consumers, they want more control of their data. In privacy laws like this, it both protects and empowers them, and really California has been on the forefront of this push.
I mean, what you’re seeing in CCPA, and now CPRA is California leading the charge when it comes to privacy in the US. And while I am particular and I hope all of us had these hopes and dreams, at least maybe the privacy professionals out there. These dreams that the federal government will eventually find some time to create a single holistic approach applicable to all the states so we don’t have this piecemeal thing. Right now, they obviously have bigger fish to fry. So for now, the CCPA, and now the CPRA will kind of do until they get there.
Charles Volkert: So, Joel and Dan, does the CPRA replace the CCPA? And how does CPRA differ from the CCPA?
Joel Wuesthoff: Yes. So it’s important to recognize that the CPRA augments the CCPA rather than replace it. It didn’t change everything. It added a lot of new language and a lot of future opportunities to issue additional regulation. Until the CPRA takes effect, businesses still must comply with the CCPA mandates and requirements. The big takeaway here, Chad, is that it’s much more robust, it aligns more closely with the GDPR, and frankly, it imposes much more prescriptive contracting requirements that are rather similar to Article 28 of the GDPR where you had a controller-processor relationship amongst the parties. That similar contractual analogy remains true under California law.
Dan Hansen: Yeah, that’s an important point when it comes to GDPR are. In fact, there’s other aspects of CPRA taking kind of its guidance from GDPR. In particular, we talked about Article 9 in GDPR which is kind of the enhanced sensitive personal information identified that needs to be handled with greater care. The organizations are receiving. That also is manifest now is CPRA with more data elements that are considered sensitive, right? There’s new data breach guidance as far as the type of data that if breached needs to be notified and usually notified immediately of that data, and the consumers have a greater ability to basically sue organizations if that data is let out.
There’s additional consumer rights, which in my mind never a bad thing. For example, CPRA expands the opt-out rights and refines the concepts of selling data versus sharing data, which really brings some more clarity. Organizations were able to kind of downplay or ignore some of the CCPA requirements as to how they were using and sharing customer data because technically, they weren’t “selling it”; however, they were benefiting from that sharing. And so CPRA intends to clarify that point so it’s a little more clear.
And really, one of the areas that I think is important and there’s some aspects in CCPA around security and the requirement around that, but there’s enhanced focus on data security controls for businesses whose data practices present what’s kind of in quotation marks, “a significant risk” to consumer privacy or security, which as a security guy it’s a big deal. You know, nothing focuses the mind than when you have an audit staring you in the face and you need to actually report on your work. What that will actually look like is not quite clear, but anything that enhances the security profile of an organization to me is a good thing. There were hints as to what the standard will be from a security standpoint. Before there was talk of SAMS Top 20, which is now the CIS Critical Security Controls. That was kind of name-checked in the past by California law makers. So there’s a hint that that would be something similar that organizations should look to when it comes to security in the future.
Charles Volkert: So great information from both of you. And maybe picking up Dan on a couple of points that you mentioned. Could you expand on the changes regarding sensitive data and data breach liability? And how does the CPRA broaden a business’ obligation in each of these areas?
Dan Hansen: Yeah. So, when it comes to the new category, they’re calling it sensitive personal information, and it includes things like driver’s license and passport numbers, financial account information, racial or ethnic origin, religious or philosophical beliefs, union membership, to just name some of them and — oh, precise geolocation is one of the areas that is a focus. The CPRA imposes new obligations on disclosure of that information. Basically, now if you’re an organization and you’re receiving that information or need that information to provide the service that you’re providing, you need to make sure that your disclosures are clear of, hey, we’re receiving this sensitive personal information and we understand how sensitive it is, and we’re going to manage it accordingly. So, how that makes itself manifest in the disclosures is going to be important for an organization.
The new guidance also enhances a consumer’s ability to limit the use of their sensitive personal information, including if it’s sold or shared, which is also again bringing more power to the consumer.
When it comes to the data breach liability, liability now includes email address and expands the potential for breach-related lawsuits around that, which wasn’t quite clear before, and it gives consumers the right to bring a private lawsuit for data breaches if there’s an exposure where there’s a combination of email and password or the associated security questions that you usually answer and the answers around that. And I think one of the interesting things is as a consumer no longer must show that they were harmed by a breach to actually bring that lawsuit. So definitely a big shift and we’re looking at that with great interest.
Charles Volkert: Excellent detail. Appreciate that, Dan. At first glance the thresholds for businesses affected by CPRA are very similar to those included in CCPA. What’s different and does the recently passed legislation still apply to businesses outside of the State?
Joel Wuesthoff: The short answer is yes, the CPRA both expands and narrows the scope of businesses affected. It still includes businesses in-state and outside of California that process, collect, share, sell California consumers’ data, but they have to meet one or more of the compliance triggers or standards, and those are that the business has annual gross revenues of more than 25 million in a prior year or the prior year. Here’s where it differs a little bit between the CCPA and CPRA, it jumps up in terms of businesses that must buy, sell or share personal information of a hundred thousand, not or no longer 50,000 consumers or households. Secondly, businesses that receive 50% or more of their annual revenues from selling, and this is the added term as Dan mentioned, sharing consumers’ personal information. So it’s the sharing part that will likely expand the number of businesses subject to the Act, Chad.
Charles Volkert: That’s great, Joel, appreciate that. And we’ve got some great back and forth with both of you as experts. So maybe looking to Dan, CPRA requirements relating to providers and third-party vendors differ from those included in the CCPA. In particular, Dan, the law introduces an additional category of data recipient “contractor.” How does this really impact the covered businesses?
Dan Hansen: Well, I’ll speak more broadly around that, Chad. I mean, you look at the new guidance and their definitions for contractor, for third-party, for service provider. At the end of the day, there are new requirements across all three either new or enhanced. And so those defined definitions reflect enhanced obligations for all three of those and it also increases the requirement that organizations who are using contractors, third parties, service providers, have a clear understanding of how they are handling and managing data. And are there any sub-service organizations that they’re then sharing that data with as well? The CPRA imposes multiple requirements on the protection of private information including selling, sharing, disclosing personal information. So, all the things that you as an organization are supposed to be doing, you got to make sure that all those other parties are doing the same thing, but they’re taking the same level of care when it comes to the information that you’re sharing with them. And what that’s really going to mean in practice is you’re going to spend a lot of time with your contracts with those organizations, looking at that specific privacy-related language and obligations to make sure that those requirements are really baked in, which doesn’t sound like a big deal until you really think about the number of third-party organizations that your typical public company has nowadays. We’re talking about hundreds of organizations, we’re talking about hundreds of contracts to be reviewed, extensive data mapping, exercises that need to be conducted to understand the real flow of data. So, there was obviously aspects of this in CCPA, but it really is an exclamation point on it from a CPRA standpoint.
Charles Volkert: Excellent. Great points for sure, Dan. Joel, anything to add?
Joel Wuesthoff: Yeah. I think Dan hit it right on the head. CPRA has really turbocharged the CCPA and aligned it with GDPR and I guess I have two comments. One is this concept of flow-down obligations that Dan talked about. They’re very prescriptive under the CPRA in terms of what must be in the contract, including noting that the personal information that is sold or disclosed has to be for limited and specified purposes. It obligates the parties to notify the business if it can no longer comply. It gives the business the right to stop or remediate unauthorized uses a PI. And it also provides just a language in certain cases where one can and has the right to run automated scans and testing of third parties. So we’ll have to see kind of how that flows from the regulations under the new privacy enforcement agency.
The other thing, and we’ve seen this historically with companies with large volumes of contracts, where they need to review those contracts, review them for certain provisions, determine whether those provisions exist in and what form. And so we’re starting to see more automated contract management using, say, classification engines to identify certain provisions, flag those to the attorney so that they can update those provisions for GDPR, CCPA and CPRA. So, I think what we’re going to see is both kind of a two-track approach, which is, one, making sure those contractual provisions are in line with requirements, and then number two, is leveraging technology to make it frankly feasible and economical to do that.
Charles Volkert: Well, thanks to you both. We have much more to discuss about CPRA with both Dan Hansen and Joel Wuesthoff, but first it’s time for a quick break.
Female: Is your legal team buried under rising workloads, having trouble containing costs or staying ahead of changing regulations? Robert Half can help. We assist thousands of organizations including Fortune 500 companies and Am Law law firms, offering an alternative to legal staffing and project management. Our flexible talented consulting solutions can be customized and seamlessly integrated into your organization to help alleviate the time or budget management challenges facing your team. Connect with us today at roberthalf.com.
Charles Volkert: Welcome back to the Robert Half Legal Report. I’m Chad Volkert and with me today are Dan Hansen, Managing Director for Protiviti’s Security and Privacy practice, and Joel Wuesthoff, Managing Director for the Legal Consulting Solutions practice at Robert Half.
Earlier, we briefly touched on an interesting look-back clause in the CPRA that I’d like to discuss in more detail. It’s important that we covered businesses and that they understand what this provision means and its time line so they can start taking necessary actions to ensure compliance. The CPRA provides California consumers the right to know and to access personal data that businesses have collected. Specifically, if a resident requests such information any time after the Act takes effect at the start of 2023, a business must respond with the person’s personal data collected going back 12 months. That means that any data collected since January 1, 2022 is subject to the law. So it’s critical that businesses begin now to appropriately manage personal data gathered by the start of 2022. Joel, could you cover some additional points as it relates to this?
Joel Wuesthoff: Yes, Chad. And I’m going to actually touch on what you just mentioned about the 12 months. That’s the way the statute reads now, but there may be some movement next year when the privacy enforcement agency, the CPPA, issues additional regulations and they may — and they’ve got the authority to extend that beyond 12 months, so long as that 12 months doesn’t pass beyond January 1, 2022. In other words, that would be the as far back as possible date. So we need to watch those dates very carefully.
Secondly, it’s only important to note that the CPRA expands the types of information that businesses will need to reveal. Dan talked about that so I’m not going to touch too much about that but certainly the categories of contract and service providers to whom a business has disclosed personal information or sensitive personal information. It does compel affected businesses to submit risk assessments to the State on a regular basis under certain conditions, and those conditions, again, to be kind of punted down the road to the regulatory authorities are where the information may present a significant risk. So, it may be possible that regulations will not require all businesses to undergo a security audit if they are not collecting or processing sensitive information, but we don’t know that yet. But at the very minimum, you’ll need to be able to find and produce information that are collected that falls into these miscellaneous categories.
And then the other thing I’ll mention is that as it relates to those conditions that I talked about, the regulatory bodies will evaluate the size and complexity of a business, the nature and scope of a processing activity. So if your cloud provider or if you’re working with a number of different companies and ingesting their personal information, supporting their operations, there’s a good chance you’re going to need to be watching that. And then the other thing I’ll mention is that as companies look towards the future, some elements of the Act cannot be remediated at this point, but we are seeing clients start to take a look at their policies or procedures, the types of information that they’re collecting because that 12-month look back, as you mentioned, Chad, kicks off in five or six months from now, where you’re going to need to look back to the first part of January and describe exactly what you’ve collected, how you’ve collected it, and to whom you’ve given it to.
Charles Volkert: Great points, Joel. And I wanted to maybe mention a few more examples of activities that may require risk assessments. In particular, when businesses process data on a large scale, when they use automated processing including profiling to evaluate a consumers personal information, they include large-scale processing of sensitive data, process data of vulnerable individuals, for example, children particularly critical since the administrative fines can be levied up to $2,500 per violation of the Act or up to $7,500 per intentional violation or violations involving minors, and the use of innovative or new technologies would be the final point.
Maybe turning to you first, Dan. What other specific actions should businesses be taking now to prepare for compliance with the CPRA? And after your thoughts, Dan, would love to hear from you, Joel.
Dan Hansen: Yeah, sure. I guess step one, determine if you need to be complying with the CPRA and I know Joel kind of walked through some of the requirements there at a high level. Chances are, if you’re beholding to the CCPA, CPRA is in your wheelhouse and you’re going to have to be compliant. But the standard retort on this type of thing is check with your legal counsel. Make sure you get some good insights and good guidance there. I would be thinking deeply about how you’re going to structure the review within your organization. This is usually a cross-functional team that needs to kind of come together. That can include HR, could be marketing, legal, security, IT, ops. It’s usually a significant group that needs to come together and think about what are we doing now, what data do we have, and what do we need to do to apply the changes to our environment?
We talked about the risk assessment and that some organizations may need to do it, some may not need to do it. I would recommend that most organization should go down that path and to do that detailed risk assessment. And that includes understanding the type of data that we have as an organization, the types of risks if that data were to be exposed or to be used improperly, what are the controls we have in place. Do those controls actually address our risks and do we have residual risk in the organization that needs to be addressed? I think that the risk assessment is time well spent. Kind of going hand-in-hand with that risk assessment is an organization should be spending a good amount of time understanding what that data map looks like, how does data flow within the organization, where does it reside. So that data in motion, data at rest. And like we’ve talked about, Chad, I mean, you’ve got to look at your third parties. Third-party risk management is a big deal nowadays, not just for privacy, but for security. Contractually, how you interact with your customers. It’s important to make sure that you’ve got a good handle on third-party risk management. And it’s not an easy thing. It looks easy on whiteboard as I always say, but when it comes to actually having a robust program it’s a hard thing to do. So those are some areas that are kind of top of mind for me.
Joel Wuesthoff: Yeah. And just to pick up on Dan’s comments, I think historically over the last five or ten years, most companies are familiar with records management and information governance from a records perspective and retention schedule perspective; creating a floor for how long records need to be kept and litigation and preservation notices, and making sure that you preserve all records that are responsive to subpoena or a document request. But if you do not have any pending litigation or anticipated litigation, you might want to proceed with getting rid of business records that have no utility to the business. We now introduce privacy, and privacy has some kind of records elements to it that require companies to limit the types of information and categories of information kept and only keep them for so long as you need them or that’s applicable for the original purpose. What that means is that you now have another reason with some teeth behind the regulatory authorities to review your records retention schedule and actually the piece that requires you to delete the data after certain period of time.
So in conjunction with that, the Act requires businesses to advise consumers how long they expect to retain each category or the criteria, and most companies I think, just because of the effort and the volume, generally keep data longer than they should. And this is kind of a little bit of a kick in the pants and hopefully not more than that for a company that manage lots of information to review those records practices and update them because that will be a focus for the regulatory bodies so that you’re not collecting data longer than than you should.
And one other point I’ll mention is that there is I think a ten-million dollar yearly budget for enforcement, which is sizable and the entity that is that is forming around enforcement will likely be looking at these issues around retention, disposition, and using data for secondary uses that were not permitted by the original consent or notice.
Charles Volkert: Great detail, Joel and Dan, I appreciate that. Maybe as we saw with the CCPA obligations for business continued to be altered, updated, and changed for several months, even after the law became enforceable can we expect similar modifications with CPRA before it takes effect?
Dan Hansen: Absolutely. It’s ongoing now. We’re seeing some of the topics, things like cyber security audits, submitting risk assessments. How is that going to work? What are those going to entail? What are the requirements around that? You know, the scope of the agency’s authority regarding audits? When I say “the agency” I’m talking about the CPRA enforcement agency or the California Privacy Protection Agency, which goes by — I think is going to go by CalPPA. I haven’t gotten some guidance yet from the privacy folks out there, but I think the — I think it’s going to roll off the tongue really well, CalPPA. Anyways, their board members have been announced in March. They’re in place. They had their first meeting in June. They plan to meet monthly. They’re working this. They’re looking at the different topics. I think we’re going to see quite a bit of change coming your way.
That said, it’s not a signal to kind of wait and see. I think most organizations need to be focused on what they do know now. Again, doesn’t stop you from doing a data mapping exercise, doesn’t stop you from doing risk assessment. I’ve also seen quite a few organizations that never quite got there with CCPA. So it’s a chance to go back and do the work and get to where you need to be. But yeah, we’re going to expect to monitor this closely going forward and looking for those updates and organizations are going to have to take appropriate actions when things change.
Charles Volkert: Thanks, Dan, appreciate that. Joel, can you offer some tips to help businesses effectively monitor updates to CPRA to ensure they remain current with the compliance mandates?
Joel Wuesthoff: Yeah, and I think the most effective way to do that is to designate someone who can be responsible for that. A compliance team should appoint a manager responsible for regulatory monitoring developments. The law, the CPRA creates a chief privacy auditor. So you’ll want to designate someone within the organization with the appropriate resources and responsibilities to track, to monitor and respond. Secondly, establish some monitoring capability to identify and understand updates to the law. Make sure you’re updating policies and practices accordingly. Third, conduct ongoing research on business privacy news headlines, subscribe to consumer privacy newsfeeds, privacy association newsletters and other websites. I will say that similar with we’ve seen with the GDPR in the cross-border transfer issues around Schrems is that part of the risk assessment, and Dan mentioned risk assessment being one of the kind of key elements, is to look at the sector, sector-specific activities around US surveillance. Now that’s not at issue with what we’re talking about here, but the point is that it’s important to know what others in your industry are doing so that you can align yourself with some good practices, even if it’s not best practice, good practices. And finally, there are plenty of privacy workshops in the marketplace. And you can certainly reach out to us for those in addition to one that we’re doing today.
Charles Volkert: Excellent checklist. Appreciate that, Joel. Dan, Joel, as we look beyond the CPRA, what other privacy regulatory activity during recent months should organizations be monitoring?
Joel Wuesthoff: I’ll jump in there with some comments. I think interestingly, or not, President Biden just this week appointed Alvaro Bedoya to fill a vacated seat on the FTC. He’s a well-known privacy expert, who was in the Senate. He’s been a critic of surveillance technology and is likely to bring significant expertise and focus to the SEC. The Stat of Virginia passed Consumer Data Protection Act in March 2, 2021. It makes the Virginia the second state to enact a consumer data protection law. There’ve been a host of other states that have tried and pushed through a variety of different privacy laws and we’ll continue to see those popping up as we go into ‘22. The Virginia Act applies to organizations that do business in the state, again, similar to California’s CPRA and CCPA, and the numbers are fairly similar, 100,000 consumers per year. The numbers a little bit lower as it relates to processing personal data around 25,000 consumers. But similar to privacy regulations in California elsewhere where, again, to Dan’s original point, that the focus has been consumer protection, the ability for consumers to protect their rights and control how their personal data is used, and particularly the right to access personal information and correcting accuracies, delete data and opt out. So that law takes effect on January 1, 2023, coincidentally the same day as the CPRA.
Dan Hansen: Yeah. And really to build on that, we’ve got Colorado coming in I think July 8 they sign that into into law and takes effect 2023. Very similar to California and Virginia in a lot of ways as far as some of the key points, privacy points, consumer protections, but you’ve got New Jersey, you’ve got New York, you’ve got Washington, Minnesota, Oklahoma. Very much looks like our breach notification law is very similar, but kind of different across the 30, 40 different states in which those cover things, and I think I made this point early on, which is rarely do I long for the federal government to insert themselves, but now would be a good time to come in and kind of pull this together so we have more predictability.
Charles Volkert: Got it, excellent. Well, as business teams work to manage privacy compliance, how can they leverage privacy policies and practices to comply with requirements from multiple jurisdictions?
Joel Wuesthoff: Yeah, this is a real tough one. We have some clients that come to us and say, look, we want you to draft a policy or a notice on our website that complies with a certain law requirement. And I think the real challenge and this goes back to building a data map or a data flow, understanding your data and what you do with it, is to make sure your practices are consistent with what you represent in your policies or your notices because that’s one of the biggest gaps that the organization may not know exactly what their employees are doing or their consumers are doing, but yet they’re representing something that is at odds with those practices. So it’s critical kind of along that line is to build a jurisdiction-agnostic approach into the privacy framework for no other reason that we’ve got tens if not hundreds of various privacy jurisdictions globally that are building similar but not necessarily identical privacy framework. So it’s important to build your privacy program and to be able to be flexible and be adherent to a specific jurisdiction’s requirement. So that requires looking at each regulation, creating a checklist of requirements by topic, and as I mentioned before, regularly monitoring those requirements. And then isolate areas of the business that are most impacted by obligations and that usually is your HR, your sales and marketing, and increasingly engineering where as you’re developing new products, that will require some privacy by design, the elements, to ensure that you’re not building something that is adverse to consumer’s rights.
Dan Hansen: To Joel’s point, I mean, the work ahead of us is going to keep privacy lawyers and professionals busy for a long time. When we’re thinking about these creating a program or a policy or the practices for an organization to operate nowadays in this kind of environment, we’re looking for the most restrictive laws out there we’re trying to adhere to those. That takes a lot of mapping back and forth amongst all the different standards to create that. You’ve also got organizations beyond just the state and federal and privacy laws and those in other countries. They’re relying with the generally acceptable privacy principles because they have a SOC 2 requirement that they’re working towards. And so there’s a lot of mapping that’s going on. It’s not easy nowadays to make sure that you’re doing right by each aspect of making sure you’re keeping them straight. But that mapping exercise amongst the different standards in what you’re trying to achieve is important. So definitely focus on that. It’s not something that’s a one-and-done. You need to very much operationalize the program. It requires that an organization kind of reassesses where they are on a regular consistent basis. So you need people in the organization that are focusing on this, making sure that you’re taking the right steps.
Charles Volkert: Thanks. You’ve both provided helpful and timely information to our listeners for sure. But unfortunately, we’ve reached the end of our program. Special thanks to Dan and Joel for joining me today and sharing your valuable knowledge and guidance. Before we close, how can our audience contact you and where can they obtain more information? Maybe turn to you first, Joel.
Joel Wuesthoff: Sure, Chad. It was a pleasure to be here today. My email is [email protected].
Charles Volkert: And Dan?
Dan Hansen: Yeah. And for me it’s [email protected], that’s Protiviti with an I and not a Y on the end. I would also encourage anyone to go to the Protiviti website where we have a slew of information around security, around privacy, and around other solutions that we offer.
Charles Volkert: Excellent. And our listeners can reach me at Charles.Volkert, that’s V as in victor, O-L-K-E-R-T.
And you can visit the Robert Half website for additional career and management resources including our latest salary guide, as well as information about our talent and consulting solutions at roberthalf.com.
Thanks again, Dan and Joel, and thanks to our audience for listening. If you like what you heard today, please write us in your favorite podcasting app and follow Robert Half and Legal Talk Network on Twitter and Facebook. Join us again for the next edition of The Legal Report From Robert Half here on the legal talk network as we discuss important trends impacting the legal field and legal careers.
Outro: The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by Robert Half, Legal Talk Network, or their respective officers, directors, employees, agents, representatives, shareholders or subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.
Thanks for listening to this podcast. Robert Half is a premiere provider of talent and consulting solutions for the legal field. Robert Half is an equal opportunity employer including minorities, females, people with disabilities and veterans. Robert half is not a law firm and does not provide legal representation. Robert Half project attorneys do not constitute a law firm among themselves.
Podcast transcription by Tech-Synergy.com