Don’t Give Me a Legal Memo, Tell Me What the F*ck To Do
Since privacy has been in the spotlight, businesses have been scrambling to get their house in order to minimize their risk exposure. Although privacy risk is not just a legal issue, c-suites are increasingly expecting in-house counsel to take over the Privacy Officer role. With that, in-house counsel are expected to navigate a complicated privacy maze of legislation, regulations, standards, technologies, ethics, tools and internal politics. The legal memos and legal opinions in-house counsel are used to providing will no longer suffice. A Privacy Officer is expected to design an enterprise Privacy Program, operationalize it, coordinate with business units, train staff, monitor and enforce it, stay on top of the constantly changing privacy regulations, update the Privacy Program and, if that weren’t enough, put out the daily fires they were hired to deal with in the first place. Simple, right? NO!
What does this mean for you, the in-house counsel designated as the Privacy Officer, and how can we, the privacy specialists, help?
Memo Shmemo
Unfortunately, no amount of legal research and writing will help you operationalize a Privacy Program. Legal research may help you understand how to design policies but it does little in the way of helping you implement processes and procedures - the “how”. Operationalizing a Privacy Program requires careful investigation into how different business units operate, meticulous attention to data flows and data uses, strategy on how to streamline privacy throughout the enterprise, as well make a case to get buy-in from the top and staff. Translating laws and regulations into actionable processes and procedures is our strong suit.
Who You Gonna Call? Privacy Busters Experts
Irrespective of whether you are a new in-house counsel or a seasoned one, you will likely need guidance navigating these muddy privacy waters. Our hyper-focused privacy experience, including our practical organizational and technical know-how, allows us to identify privacy risks in a business that may go undetected until it is too late, and develop practical practices to reduce those risks.
While some privacy specialists are recovered lawyers, others have diverse skillsets. Privacy specialists can be technologists, IT specialists, business experts, data scientists, security experts, marketers, academics and project managers. Many have worked in-house for businesses building Privacy Programs. They gained the practical skills (and scars) by overcoming the trials and tribulations Privacy Officers often face. These diverse skills and experiences help us communicate with stakeholders in different business units and understand their perspectives, technical language, and pain points. This is particularly important as the Privacy Program needs to address privacy risks in every business unit.
Privacy Specialists Are Privacy Chameleons...red, gold and green…
Most in-house counsels are experts in the areas of litigation, corporate law and employment law. Privacy and security are often uncharted territories for in-house counsel. Even if you are familiar with the basic concepts of privacy, unless you are keeping up with the constant changes in privacy legislation, standards, technology and best practices, your privacy knowledge and skills may quickly become stale. As privacy specialists, it is our job (and usually our passion) to stay on top of new privacy developments. Not only are we familiar with existing privacy regulations, uses of data, privacy-enhancing technologies, and privacy innovation, but we are also aware of what is coming down the pipelines that may impact your data handling practices, such as new regulations, regulatory guidance, thought leadership and tools.
Go Pro...active, Not Reactive
Not enough can be said about taking a privacy by design approach to your Privacy Program; being proactive, not reactive. Lawyers often find themselves in reactive situations where they need to continually put out fires. This approach will serve you well if ever there was a privacy breach, but mitigating the risk in the first place is the purpose of the Privacy Program.
Part of being proactive means that a Privacy Officer needs to hone impeccable project management skills. You are expected to monitor and enforce the Privacy Program and follow up with stakeholders, including those in sales, dev ops, e-commerce, analytics, business development, marketing, human resources, R&D, procurement, IT and security. As privacy specialists with practical experience, we have gained excellent project management and time management skills. Having close relationships with stakeholders in every business unit is vital to understand how data is being used but also who it is intended to be used in the future.
It’s a Chess Game
As in-house counsel, you will likely not have time to run the entire Privacy Program alone, while still maintaining your role and responsibilities as counsel. You will need to delegate responsibilities to staff. Unfortunately, those staff to whom you delegate are likely already busy with their day-to-day tasks. Ensuring you are delegating tasks to the right people and not overwhelming them is essential for the success of the Privacy Program.
As privacy specialists, we can help you strategize who in the company should be responsible, accountable, consulted and informed (RACI) when it comes to the key foundations of a Privacy Program. Thought should be put into who will be responsible for the following: identifying privacy-related legal developments, privacy training, responding to privacy complaints, updating the data map, responding to access/deletion requests, conducting vendor due diligence, monitoring and auditing privacy-related practices, reporting to senior management, privacy breach management, managing cross-border transfers and implementing privacy by design with developers/designers.
As privacy specialists, we have a strong understanding of the work effort and skills required to successfully serve and support these roles.
And Finally...We Are Your Allies
As a Privacy Officer, you should see us as your allies with shared objectives. We want to mutually minimize privacy risks while allowing the business to achieve its goals and objectives.
In addition to helping you design and implement your Privacy Program, we can also support you in advocating to secure funds and resources for the Privacy Program. Ensuring the Privacy Program has an appropriate budget and resources will make your role as Privacy Officer more manageable, efficient and successful.
This article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.