Skip to main content
close search
site logo
Opinion

What legal departments need to know about building a data security and privacy program

General counsel play a key role in developing an enterprise-wide infrastructure that can keep pace with the rapidly changing threat landscape and regulatory environment.

Published Aug. 26, 2022
By Kara Hilburger
Cyber security systems for business network
Cyber security systems for business network guvendemir via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Kara Hilburger is managing director and team lead for privacy compliance and digital accessibility at Octillo. Views are the author’s own.

Data privacy regulations and privacy risks are evolving. From the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act to the patchwork of upcoming state privacy laws, companies go to great lengths to stay ahead of developments to minimize legal risk while continuing to promote innovation.  

And did we mention the prospect of a federal privacy law? Companies are left struggling to meet what feels like a moving target. Gone are the days when data security and privacy could be addressed in independent silos within limited segments of a business, or treated solely as IT issues.

Instead, many organizations, typically led by legal counsel, have found that the key to developing a data security and privacy infrastructure with lasting impact is by taking an enterprise-wide approach. 

K Hilburger
Kara Hilburger
Courtesy of Octillo
 

Here are some practical issues for understanding how and why to develop an enterprise-wide infrastructure and the best practices we’ve identified for general counsel’s role in this process. 

Who should be at the table

Organizations approaching security and privacy as technical issues consistently fall short. A comprehensive data security and privacy infrastructure is much more than IT controls and policies in the background governing password management and encryption. Given the changing legal and regulatory landscape, you need to have a conversation beyond information security – and to do that you must understand the input and output of data. 

It’s crucial all key stakeholders are part of the conversation. In addition to general counsel or in-house counsel, you want your leaders in the effort to include representatives from human resources, information technology, information security, compliance, marketing, communications and operations.  

Identifying the right people from across the organization who can provide insight and identify areas where data security and privacy intersect with their day-to-day responsibilities is necessary for the growth and sustainability of the program.

Governance structure

It might sound elementary but understanding who is doing what within your data security and privacy framework is key to success.  

You need to take a hard look at resources, people’s roles and responsibilities, and what gaps in governance exist. Is a data protection officer under GDPR or other regulations legally required, or is a privacy officer sufficient? Will the organization identify data owners, with corresponding responsibilities? Developing infrastructure with clearly delineated roles and responsibilities is key to the lasting success of the program.

Legal and regulatory obligations

As a lawyer, we’re trained to understand the rule that applies before we apply that rule to the facts of a case. The same approach is warranted in understanding your data security and privacy obligations. Conducting a privacy regulatory assessment that evaluates current and upcoming jurisdictional requirements is a fundamental starting point for building a roadmap to address data security and privacy requirements. Does the GDPR apply to your business? Are you doing business in California sufficient to bring you within the scope of that legislation?

Once you have an understanding of the laws and regulations that apply to your business, the next step is understanding what your program looks like and what, if any, gaps exist based on these requirements.

Data map

Whether you like it or not, many organizations collect and process a tremendous amount of data. Data increasingly drives what we do to grow our business daily, even if you are not in a traditional data industry. It is key to ask: what data do you have and collect, for what purpose is it being processed, and how is it being shared?  

Developing a data map is a key ingredient to understanding the flows of data in and out of the organization and is critical for complying with state, federal and international privacy laws. The data map will serve as the foundation for a number of your organization’s policies, including your website privacy policy, data subject access right policy and management of your data retention.

Incident response management

Preparing for a potential data breach or cybersecurity incident should be a top priority for every business. The threat landscape requires you to shift your perspective on cyber threats from “if” to “when” as you examine preparedness, protocols and employee education. 

Creating a detailed incident response plan is a necessary step in this process, but a response plan is only as effective as its execution.  

Testing your plan annually helps to identify vulnerabilities, improve coordination and communication and is a cornerstone best practice for all companies – and a requirement in many regulated industries under some cyber insurance policies and for certain government contractors. And don’t forget to print a hard copy of the plan in case access becomes limited during an actual or suspect event. 

Culture change

We may have heard it before, but training is the key to improving employee engagement overall and truly impacts the data security and compliance culture within an organization.  

The fact is, many of today’s cyber threats are a result of human error, making end-users of company systems incredibly relevant to overall company security. Providing the training and raising awareness among staff members about the types of security threats that target them directly should be at the top of every security investment.

Further, raising awareness across your organization about the importance of cybersecurity and privacy requirements is a fundamental aspect of building out your enterprise-level infrastructure.  This includes onboarding and implementing annual programs that train and raise awareness about the types of common security threats that target employees (such as phishing attempts), as well as how to identify common security threats.

Conclusion

As we often share with clients, Rome wasn’t built in a day; and, neither will your privacy and security infrastructure magically appear. But building a scalable, sustainable enterprise-level data security and privacy infrastructure should be a priority for every organization regardless of size. 

The challenges presented by the current legal and threat landscape aren’t changing anytime soon, so it is vital for every organization to put in place a compliance roadmap that is right-sized for their resources, team size and jurisdictional reach. Beginning today, even with just initial internal discussions, you can start down a critically important path to minimize legal risk in this increasingly technology-driven world.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Trellis Launches Trellis AI to Revolutionize Trial Court Litigation
From Trellis
November 19, 2024
Breaches and Bots: Law Firms Face a Trust Crisis with Clients, New Integris Survey Reveals
From Integris
November 18, 2024
ContractCrab Launches AI Contract Review for In-House Legal Teams
From ContractCrab
November 14, 2024
Editors' picks
Latest in Legal Technology
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell