More than 20 years ago, the Federal Trade Commission asked Congress to pass a federal privacy law. Congress has not done so, and perhaps as a result,
privacy has been one of the top areas of change in the law for many years.
Today, privacy remains one of the fastest growing areas of the law, and recent years have seen a chaotic and exponential increase in privacy legislation. The number and scope of enacted privacy laws and pending legislation can seem to be endless, and compliance with applicable laws and regulations can be overwhelming.
As privacy law continues to develop and change, an effective privacy program remains an important method for businesses to maintain compliance in a time of chaos.
This article discusses certain key elements of a privacy program.
What is a Privacy Program?
First, let’s answer a basic question: What is a privacy program?
Many equate a privacy program with a privacy policy. A privacy program is made up of the roles, policies, procedures, processes, protocols, methods, and resources that have been developed, formalized, and implemented to ensure compliance with laws and regulations applicable to a specific business.
Gone are the days when a company president might simply designate a person as the privacy officer, and that person would create a privacy policy copied from a website.
Instead, to be effective and compliant, a formal privacy program should be developed with careful, methodical effort under the guidance of privacy law experts.
Internal versus External
As a component of their privacy program, all businesses should have an internally-facing information governance policy providing the documentary framework for the protection of privacy data involved in the business. This document should be coordinated with other relevant documents.
For example, businesses typically have an online presence, and business websites should contain terms of use that incorporate an externally-facing privacy statement. This privacy statement provides the company’s data protection standards with website users and the general public.
Businesses may also provide privacy notices in specific situations, such as with regard to protected health information or in connection with financial relationships, and they may have separate privacy policies related to these special situations.
Conduct a Risk Assessment
Fundamental to managing privacy compliance risk is the assessment of potential exposures. Before a privacy program is created, a privacy risk assessment should be undertaken which identifies and prioritizes risks, allowing for subsequent action to mitigate prioritized risks.
As a preliminary matter, this risk assessment requires an understanding of the business, including all departments, operations, and activities. The assessment should include an evaluation of key third parties, such as vendors and contractors.
The assessment should also evaluate corporate data, identifying data with potential privacy implications, as well as mapping data and tracking privacy data flows, storage, retention and destruction. The assessment should evaluate protective measures related to privacy data, including physical, technology, and procedural security throughout the data flows, identifying appropriate measures and opportunities for improvement.
The assessment should also consider whether risks would be wholly absorbed by the business or whether better protection might be afforded via an insurance policy.
In addition, the assessment should evaluate the legal environment, determining legal requirements applicable to the identified data and business operations. The legal issues are often not limited to security breach notification requirements, as might have been the case in the past.
The sheer volume of potentially applicable legal requirements can be daunting. However, many law firms and vendors can provide this expertise. As new laws are enacted, expert legal services can be of critical importance in navigating the various applicable statutory and regulatory requirements.
In considering legal requirements, in addition to a review of applicable privacy laws, it is important to study the integration of privacy requirements with other legal requirements and internal policies. For example, record retention policies, business continuity and disaster recovery policies, fraud detection and prevention requirements, and financial transaction documentation may require coordination with a privacy program.
Ultimately, a privacy risk assessment should identify and prioritize privacy risks. The assessment should also identify areas where risks can be mitigated or avoided. For example, a privacy risk assessment for a business might indicate that compliance with privacy requirements related to financial transactions is necessary, but compliance with European privacy requirements related to consumer information might be avoided with certain process changes.
Privacy Governance: Responding to Risks and Obligations
A privacy risk assessment helps a business understand its privacy risks and obligations. The business will also need to develop a governance structure within which it will respond to those risks and obligations.
This privacy structure includes certain key roles and responsibilities. At the highest level, the board of directors – perhaps through its audit committee – should provide oversight of the company’s privacy risk management efforts. The executive team should be educated and engaged with privacy compliance activities to support the development of a culture of privacy compliance.
Other roles will vary between companies, but legal advice, cross-functional engagement, and operational integration are necessary components of any privacy structure.
Privacy Documentation
A comprehensive information governance policy provides the overarching structure and the primary documentation for a company’s privacy program. This policy should reflect the company’s philosophy regarding data protection. It should also include a framework for the operation of the privacy program, and it should provide high level guidance to employees.
Other documents may be necessary. First, the overarching policy can be supplemented with procedures that provide simple guidance to employees. In addition, policies and procedures related to specific types of data may be necessary, such as health, financial, and payment data policies. Also, jurisdiction-specific documentation may be necessary, such as policies specific to California, Canada, or Europe.
Policies may be required that are related to specific business activities, such as marketing or credit operations. In addition, required contract terms, customer communications, and other documentation may be needed.
A privacy incident response plan should be developed, either as a standalone plan or as a component of a larger incident response plan.
Implementing the Privacy Program
All the work that has gone into the risk assessment, governance structure, and documentation can be wasted if the privacy program is not properly implemented. A privacy program must be implemented for the privacy policy and other components of the privacy program to be effective.
The steps and methods of implementation can vary widely, but in general, implementation includes the rollout of online terms, privacy notices, and other internal and external communications. Contract revision may be necessary to the extent that existing contracts involve the disclosure of protected data.
Infrastructure, personnel and other resources may need to be identified and allocated or acquired. Data protection and other security processes and protocols may need to be developed. Employee training should be delivered, and procedures for employee and contractor monitoring and enforcement should be created.
Responsibility for investigation and response to security breaches, and for privacy inquiries from employees, consumers and regulators, should be assigned.
A Necessity: Ongoing Improvement
A privacy program must change over time to remain effective. The program should contemplate changes in the law, business developments, and program experiences that lead to improvements.
The program should provide for ongoing employee training, periodic incident response testing, annual compliance audits.
The program should be reevaluated at least annually, including a legal assessment of legal changes, a program performance and gap analysis, and a review, update and implementation of program changes.
The program should also be updated when appropriate in response to changes in the law, privacy and security incidents, regulatory inquiries, and other significant developments.
Conclusion: Keep Your Program Up-to-Date
Businesses need to maintain compliance with applicable privacy laws in a chaotic legal environment. A carefully developed, implemented, and updated privacy program can facilitate this challenging task.
This article was originally published on the State Bar of Wisconsin’s
Business Law Blog. Visit the State Bar
sections or the
Business Law Section webpages to learn more about the benefits of section membership.