The following blog is Part 3 of a 3-part series. To start with Part 1, click here. These insights were first shared in our webinar, Global Data Privacy Update: GDPR Walks the Walk. To watch the entire webinar on demand, click here. 

I had an interesting discussion with a client a year or so ago now – a big US corporation – and they said, “We want to explain something to you and then we want you to guide us through a decision.” And I said to them, “Well, that’s really interesting, but you’ve got 150 attorneys in your legal department, and you’ve got 10, 20, 30, 40 attorneys who know this stuff and can make a decision.” And they said, “Yes, but we’re all too close to it and what we want is somebody a bit more distanced to walk us through the decision and say, have you considered this or that?” And we’ve had a couple of clients – one who’s got an intrusive app – where they’ve asked us to do that as well, just to sit down as a critical friend.

They’re asking us to almost assume the role of the regulator, assume the role of the data subject and say to us, have you thought of this, have you thought of that. And I think that for many businesses, they’re almost in this binary mode of either I’ll decide internally, or I’ll let the regulator decide. And if they do that under the DPIA mechanism, it’s going to take ages. We know from the Facebook dating case that that’s a less than ideal process. 

I think what we are going to see is more people asking somebody else – whether that would be a lawyer, an ethicist or academic, or a mix of those – in some sort of ethics review panel. Healthcare has had to, for a while, review their use of AI applications and to address issues of fairness and transparency to head off litigation.

When it comes to data privacy, there are a few things you should be actively thinking about, whether the business you represent has privacy challenges or just wants to do the right thing.

• Execute a thorough Data Protection Impact Assessment (DPIA)

First, you should have a DPIA or Data Protection Impact Assessment, sometimes called PIA – Privacy Impact Assessment. This is a process that you can go through to look at risks and the ways in which you’re mitigating these risks which has been a common theme of some of the high fine cases. Criticism for no DPIA or inadequate DPIA has also been a theme of the food delivery cases we just talked about. One of the biggest cases of the pandemic was the Facebook dating case. Facebook announced it was starting online dating in Europe. The Irish regulator asked to see the DPIA. Facebook didn’t produce one. The regulator comes and knocks on the door, asks again for it, and the service is suspended. Why is that relevant? Because it was the gold rush of online dating during the pandemic. People who wanted a date had no other option.

Facebook lost the business opportunity of a lifetime by not having the DPIA ready, and not only that, but some of its would-be rivals also gained strength with the money they made in the pandemic. And they’re now probably big enough that they can resist Facebook coming into the market. For the loss of what might have been, I don’t know, $10,000 worth of effort to put a good DPIA in place, Facebook lost the biggest market opportunity perhaps of a decade. So DPIAs are your friend. They can help you reduce risk. They can help persuade a regulator that you’ve at least thought through these issues. 

• Mitigate risk with preparedness training

Second thing I’d say is train, train, and train again. When we get involved in data breaches almost always when we say, okay, prove that you’ve met the training requirement under GDPR, with a deck of slides or some online training. 

Very few businesses have kept up their training, regulators have said that in most cases it’s going to be an annual event. It should be an annual event, and they’ve been prescriptive. They don’t tend to like online training, if you’re going to ask questions, you should jumble up the answers, ask from a wider pool, etc. So, there’s going to be a real focus on training after incidents in dawn raids, etc. And obviously training is the biggest way of reducing risk. 

1. Data protection has value

The third trend I’d give you is data protection equals value. We know, for example, from the Marriott case, that Marriott bought an asset with a problem that wasn’t worth the price they thought it was because of that problem. 

So, for those private equity businesses that are looking for the turn, data protection is part of that turn as well. And we’re seeing investors, particularly, recognize that value and encourage people to get the right compliance programs in place. And even if you’re not a listed entity and you’re not thinking of listing or selling, then employees and customers are looking at this as well. Every business is going to have a data breach, even the best businesses, because we’ve got employees who leave stuff on trains, Ubers etc. The ransomware war is unequal, it’s a cold war by proxy. There are nation states that are attacking US corporations and particularly law firms.

• Rehearse your response to ransomware

I’ve a friend in a law firm who had the most horrendous attack on Friday, a very, very sophisticated one, and he spent the weekend apologizing to all his clients on a borrowed cell phone because he thinks the cell phone was compromised as well. There are no discussions that have gone down well with some of his clients and I’ve every sympathy for him. So, rehearse your response to ransomware, build in that muscle memory, just as we rehearse evacuating out of buildings if there’s a fire. We’ve got to rehearse this stuff as well. And then obviously the mustard on the hotdog in the bun of our discussion, really, is transparency. As I’ve said, there’s a real concentration on this at the moment. 

• Adequate data protection is a moving target

The EU has said that Privacy Shield provides an adequate level of protection for your data. Well, it doesn’t. It might have done in the past, but that ship has sailed. We might get privacy shield two, safe harbor three, we might not, but your privacy policy has to be up to date. And in the area of cookies, for example, I don’t think I’ve ever seen an accurate disclosure of cookies unless people are using one of those tools to regularly troll the website. If you are using a social plugin on your website, if you are using a Facebook plug-in, if you’re using Google maps, then those providers are changing their cookies and your disclosures are out of date almost the minute you’ve coded them into your privacy policy. So, people have to look at the window dressing as well as the backend when they’re thinking about transparency as well.

You have got to get into that cadence, particularly when you do something new or different, of thinking, “oh, we’re now recruiting through XYZ corporation instead of doing it in house” – trigger: privacy policies got to change. “We’re a law firm, we’ve now outsourced our print shop to these guys” – trigger: that might be a privacy policy change. 

And we’ve got to look at our supply chain as well because we might have disclosure obligations when we’re sharing data, even a trivial thing in the UK. Our regulator has made us put a button on all of our website sites, but they don’t tell us what’s happening with the data if people click on that button. So obviously we’ve got to make that disclosure now to say, we’re not allowed to practice without the button, we’ve asked questions about the button, we ain’t got answers. So almost everything you do, everything you apply to your website, you’ve got to think strategically.