10 Data Privacy and Security Practices Your Business Should AdoptJune 24, 2019 Data privacy and cybersecurity practices are becoming increasingly important in view of new legislation, such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) as well as the increasing sophistication of hackers and bad actors. Between 2000 and 2017, cybercrime and breaches of privacy impacted more than 4 million individuals. Cybercrime and breaches of privacy also caused losses of more than $1.4 billion in 2017 alone. To limit liability and protect corporate assets from theft, there are a few fundamental measures your business should consider. 1. Identify relevant data privacy and cybersecurity laws and regulations The scope of data privacy and cybersecurity laws can vary across the globe and your business may be subject to one or more of these based on the location and type of personal information you collect or use. The European Union relies on an omnibus framework, where the regulations cover all data processing regardless of context. In comparison, other countries like the United States have a sectoral framework of data privacy, meaning the laws and regulations are industry-specific. This means there are different laws pertaining to health information, student information, information collected from commercial transactions, and others. Knowing which regulations apply to your business is a key first step in compliance. 2. Appoint a Data Protection Officer (DPO) A data protection officer is someone in charge of coordinating and overseeing data privacy compliance and security for your business. Often, DPOs are employees of the business, but they may also be an external consultant. The DPO can train employees, coordinate with third party vendors, work with legal counsel to ensure compliance with relevant laws, work with IT professionals, and ensure corporate privacy policies and procedures are up-to-date. Note also that a DPO is not the same as a compliance officer, and one individual should ideally not serve a business in both capacities. A DPO may be required by law for some companies under some regulations, like the GDPR, but it is always a good idea to have someone in the company oversee data privacy and cybersecurity procedures. 3. Conduct a Gap Analysis Conduct an information security gap analysis of your business’ current practices to identify where your business complies and where it must modify its procedures. In doing so, make sure you select a robust and commonly recognized industry standard security framework. A thorough gap analysis should assess not only hardware and software, but the human element, such as employees and third parties. 4. Work with Legal Counsel and IT Professionals to Develop and/or Modify Your Business Practices After conducting a gap analysis, you should know and understand any gaps or weaknesses in your existing practices. Using this information, work with IT professionals to develop a security profile of hidden weaknesses, for example areas where your business may be legally compliant but lacking in terms of system robustness, and remedy these weaknesses. Additionally, work with legal counsel to determine whether and how relevant laws have changed so your policies and procedures can be updated accordingly. 5. Make Your Policies and Procedures Available to Employees After updating your policies and practices, make sure they are easily accessible to your employees. If there is any question about how information should be processed or handled, your employees should know exactly where to look. This can include electronic and hard copies of business policies, as well as employee training (discussed below). 6. Make Your Policies and Procedures Available to Consumers Many data privacy laws require businesses to make certain disclosures available to consumers. For example, businesses must disclose some or all of: consumer rights, what information is collected and the purpose for collection, how the information is processed, who handles the personal information, whether and to whom the information is sold or shared, how long the information is stored, and others. Businesses must also have easily identifiable links for request forms for consumers to submit requests, such as a request that information be deleted, a request for an inventory of personal information collected, a request that information cease to be collected, and others. The specific nature and extent of required disclosure and permissible consumer requests turns on the particular laws applicable to your business, which is partly why it is so important to identify relevant laws at the outset. 7. Work with Legal Counsel to Update Contracts with Third Party Vendors Data privacy laws and regulations apply not only to your business, but also to businesses that handle, store, or process personal information on your behalf. Work with legal counsel to update or draft new contracts with third parties to ensure other organizations that handle personal information on your behalf also certify compliance with applicable privacy laws. 8. Work with Legal Counsel and IT Professionals to Develop an Incident Response Plan Although robust, preventative policies and procedures can limit the risk of a data breach, it is almost an inevitability that your business will suffer a data breach of some magnitude at some point in time. It is therefore critical that you work with legal counsel and IT professionals to develop an incident response plan before an incident occurs. This can include measures such as following reporting requirements, forensic data analysis, and remedies provided to consumers whose information was leaked or stolen. 9. Train Your Employees Robust data privacy policies and business practices will be ineffective if employees do not follow them. With every update to policies and practices, train your employees so they know what personal information is collected, how it is processed, and compliant procedures relating to the same. Where relevant, employees should also receive training in handling consumer requests regarding personal information and informing consumers of their rights. Employees must also receive training for crisis response, so that in the event of a cybersecurity incident, the damage from an attack or leak is not magnified. 10. Update Your Policies and Practices Regularly Finally, data privacy and cybersecurity laws will be enacted and updated regularly in the next several years. It is important to work with legal counsel to be aware of such changes, and update your privacy policies and business practices accordingly. Relatedly, you should continually review the sufficiency of your existing procedures and protocols based on new and emerging cybersecurity threats. These are just a few key steps to help render your business compliant with data privacy laws and regulations. These steps will look somewhat different based on a business’ size, location, industry, and other factors. As a result, you should work with professionals to develop and adopt a holistic system tailored to your company. Sarah M. Luth is an Associate Attorney in the Biotechnology & Chemical Patent Practice Group at McKee, Voorhees & Sease. For additional information, please visit www.ipmvs.com or contact Sarah directly via email at sarah.luth@ipmvs.com. ← Return to Filewrapper