GAMABrief: Beyond the Privacy Policy: Privacy Management in Seven Steps
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

GAMABrief: Beyond the Privacy Policy: Privacy Management in Seven Steps

  • 536 views
Uploaded on

With a national debate underway about the value of individual privacy and the protection of personal data, the importance of updating your organization’s privacy policies and adopting a set of best......

With a national debate underway about the value of individual privacy and the protection of personal data, the importance of updating your organization’s privacy policies and adopting a set of best practices has never been more crucial. But, privacy compliance requires more than just drafting and posting a privacy policy.

The framework of laws and regulations governing how organizations may handle customer data is global, complex and dynamic. In the United States, for example, an entity must comply with federal, state and local regulations, including a variety of industry-specific statutes, data breach notification laws, data retention laws, cookie tracking and do-not-track requirements and much more. Brands going global will be subject to a laundry list of foreign regulations, notably including major restrictions on cross-border data transfers.

Complying with, and anticipating, the growing and tangled web of worldwide privacy regulations requires more than just an auto-generated privacy policy – it requires a complete privacy management system for your business.

To get your business privacy compliant, here are seven essential steps to developing a comprehensive privacy framework.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
536
On Slideshare
494
From Embeds
42
Number of Embeds
4

Actions

Shares
Downloads
4
Comments
0
Likes
1

Embeds 42

http://eventifier.co 18
https://twitter.com 15
http://eventifier.com 8
http://www.eventifier.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. GAMABrief: Beyond the Privacy Policy: Privacy Management in Seven Steps With a national debate underway about the value of individual privacy and the protection of personal data, the importance of updating your organization’s privacy policies and adopting a set of best practices has never been more crucial. But, privacy compliance requires more than just drafting and posting a privacy policy. The framework of laws and regulations governing how organizations may handle customer data is global, complex and dynamic. In the United States, for example, an entity must comply with federal, state and local regulations, including a variety of industryspecific statutes, data breach notification laws, data retention laws, cookie tracking and do-not-track requirements and much more. Brands going global will be subject to a laundry list of foreign regulations, notably including major restrictions on crossborder data transfers. Complying with, and anticipating, the growing and tangled web of worldwide privacy regulations requires more than just an autogenerated privacy policy – it requires a complete privacy management system for your business. To get your business privacy compliant, here are seven essential steps to developing a comprehensive privacy framework. Step  One:  Assess The first step requires your business to ask two questions: (1) what data do we collect, and (2) how are we using, storing and transferring that data. A privacy audit by an independent third party can help identify data collection events, classify the sensitivity of the data collected and ascertain who has access to the data and how securely the data is stored. Step  Two:  Plan Planning may be the single most important aspect of adopting a comprehensive privacy framework. This step calls for comparing your organization’s current data privacy practices to applicable laws and regulations. A data privacy attorney can tell you which laws apply to your specific business based on your industry, geography and the type of data you collect. In addition, privacy counsel can advise you as to the trends in regulations around the globe to give you an idea of where the rules are headed. These data privacy “best practices” represent a target for which an organization can strive. After determining the applicable laws and industry best practices, it is necessary to decide on policies to help guide your organization’s decision-making as it relates to personal data. What data will you collect? Who on your team will have access to that data? How long will it be stored? Will you transfer it to third parties? Will you sell it to third parties? To help with this, consider that the gap between data privacy best practices (i.e., where the regulations are headed), and your organization’s current privacy practices, constitutes legal and business risk. As a formula, Privacy  Best  Prac7ces    -­‐    Current  Privacy  Prac7ces    =  RISK Legal risk comes in the form of potential regulatory sanctions from administrative bodies, such as the Federal Trade Commission (FTC), or litigation. Business risk manifests itself as loss of consumer confidence and trust. Both can be devastating to a business in a consumer industry. In order to decide how you will handle personal data, you will need to determine how much risk your business is truly willing to assume. Making this decision will allow you to craft organizational policies that can guide your business’ current and future actions. We refer to these overarching policies as a data privacy framework. A  GAMA  White  Paper  produced  by  Brandon  Wiebe                                                                                          ©  2013.  Gagnier  Margossian  LLP.    All  rights  reserved.  
  • 2. Step  Three:  DraA Once you have decided on your organization’s privacy framework, you will need to commit these policies to writing. The written framework should comprise a series of documents, each geared towards a different audience. A public-facing privacy policy – the type of document most often associated with the term “privacy policy” – can help inform the consuming public about how you handle personal data. Equally important are documents for employees, managers, vendors and partners. These documents will be the guidebooks you can use when making decisions about how to get your business where it needs to be. Step  Four:  Implement Now that you have codified your data privacy framework, it’s time to implement changes to get your business into alignment with your policies. A single manager dedicated to overseeing the implementation of these changes can make the process run smoothly. Most growing organizations dealing with personal data will need to hire or retain an individual to act as Chief Privacy Officer. The CPO can manage the implementation process by taking the identified deficiencies in privacy practices and breaking them down into specific milestones and deliverables. For most businesses where the engineering, product and development teams are often overtasked with bugs, fixes, improvements and releases, it is important have a C-level manager responsible for prioritizing data privacy implementations or to have a strong relationship with outside privacy counsel. Step  Five:  Disclose It’s not enough to simply draft a series of policies if no one ever knows about them. As soon as possible, you should post your public privacy policy to your website. If you’re a mobile business, it is imperative to post a tailored privacy policy to all ports (iOS, Android, etc.) and iterations of your applications. If you’re sending or receiving data to and from third party vendors or partners, you should disclose your policies to those organizations, as well. It is often necessary to integrate your policies into your sales and vendor contracts, both to comply with international data transfer regulations as well as to insulate your business from liability caused by the actions of any third party vendors. You should also disclose your policies to your managers and employees. Setting up regular employee trainings on data privacy is a good way to ensure your team is on the same page and working towards the same goals. Step  Six:  Grow At its most fundamental level, business growth and development is a series of decisions made by executives, managers, engineers, product developers, in-house counsel and other teams within an organization. Business success is often a calculus of assumed risk weighed against potential reward. The purpose of a comprehensive privacy framework is to guide organizations in determining how much privacy risk to assume. Now that your organization has a series of policies in place for how to handle personal data, it is imperative to ensure that all decisions remain consistent with these policies. This will help mitigate unnecessary risk while at the same time cultivating innovation. By this point, your privacy framework will be imbued not only in your written policies, but also in your organization’s mission and culture. A privacy-first culture can pilot your innovators to develop products that incorporate privacy by design. Privacy by design simply means that your organization’s data privacy framework is built into your products and services at the most fundamental level. Step  Seven:  Rinse  &  Repeat Two things are certain: your business will develop, expand and roll out new products and services as it grows, and governments around the world will legislate new rules. The European Union, for example, is currently undergoing a major overhaul to its data privacy program. Stateside, more state governments are enacting their own privacy regimes in the absence of meaningful federal regulations. The FTC is wielding the full extent of its administrative power to crack down on organizations that are not meeting a minimum threshold of privacy protection.
  • 3. In order to maintain the privacy framework and culture your organization spent time and energy fostering, it is important to repeat these privacy management steps regularly. Quarterly reassessments of privacy practices can identify updates to your products or services that may not meet your own privacy standards. New regulations may also arise that require altering or amending your data privacy framework. Gagnier  Margossian  LLP  provides  comprehensive  data  privacy  solu7ons  for  businesses  of  all  sizes.  From  developing  a   tailored  data  privacy  framework  &  draAing  policies  to  serving  as  an  organiza7on’s  CPO  and  privacy  manager,  we  offer  a   broad  range  of  legal  &  consul7ng  services  aimed  at  geSng  and  keeping  your  organiza7on  privacy  compliant. Internet Intellectual Property Privacy Social Media Technology The Good Stuff #nerdlawyers Los Angeles Sacramento T: 415.766.4591 F: 909.972.1639 E: consult@gamallp.com gamallp.com @gamallp San Francisco