With a broad raft of evolving legal requirements to meet, implementing practical steps for the handling of consumer’s personal data can seem a daunting prospect. Here, Emily Hancock, VP of Legal at MEF Member Evernote lays out an invaluable roadmap for how to tackle this business critical issue, and see you on your way to becoming a privacy pro.
Navigating the growing number of data protection laws can be pretty overwhelming. And the granddaddy of them all is Europe’s Global Data Protection Regulation. If you’re in the United States, a new set of criteria in the form of the Privacy Shield certification adds to the fun.
So what do you do? If you’re like most of us, you don’t have unlimited budget to hire outside experts to address the challenges for you.
But if your company collects user data – email addresses, telephone numbers, IP addresses – then it shouldn’t be news to you that you need to pay attention to data regulation. Fortunately, there’s good news: It is possible to build a global data protection program without an in-house team of privacy experts and while also exercising some cost-consciousness around your legal expenses. In my four years at Evernote, I’ve had the opportunity to do just that. With this post, I’d like to share a bit of what I’ve learned to help you get started.
The very first step is to figure out who will be in charge of dealing with privacy issues. If you’re reading this then, congratulations – it’s probably you!
The second step is to figure out which jurisdiction’s laws you really need to pay attention to. For most of us, it’s the country we’re located in. But for some of us, even though we’re not located in Europe, European data protection laws loom just as large if we’re collecting data from EU residents (which still includes the UK… for now). So if you’re in, say, the US, then you need to figure out just how far to go in complying with EU law based on your tolerance for risk. (That is, what is the likelihood of EU laws being successfully enforced against your company if you’re not actually located in the EU?)
Then, there are some operational steps you’ll want to take. Let’s break it down:
Make sure you write an accurate policy that captures what you actually do with data, not want you wish you were doing if you have more time to think about privacy. Doing things with data that are contrary to what you say you’ll do is one of the most common ways companies get into trouble with their users or regulators.
2) Model Clauses
If you are in the US and import EU users’ personal data, or if you’re in the EU and export personal user data outside the EEA, then it’s a really good idea to get your data processors to sign model clauses. Yes, the Privacy Shield has now been approved, but given the litigation over the Safe Harbor, it may be a risky bet to just rely on Privacy Shield certifications. And also, not many companies have certified yet.
3) Privacy by Design Training
Privacy by design means essentially that the product team builds in privacy considerations as they are building a product or product feature, rather than building something and figuring out how to overlay privacy protections on an already-built product or product feature. You’ll want to talk to your teams about this early, so they start to think about user privacy in the same way they think about usability, for example. And if they complain, remind them that to build something in at the beginning is far less costly than retrofitting later.
4) Document Privacy Guidance
Part of privacy by design is thinking through a series of questions about how data will be used, and then providing advice on the level of risk associated with the planned data user. This is called a privacy impact assessment (PIA). PIA’s are already considered good practice, but many of us are walking through PIA steps in our heads or in meetings with product teams, without necessarily documenting those conversations thoroughly. Under the GDPR’s accountability principle, there is a much higher expectation for documentation. If your organization isn’t mature enough yet, however, the PIA templates that regulators are proposing can seem overly formulaic and time-consuming.
As a middle ground, and as a way of developing your PIA muscle for when the GDPR comes into effect, start now with a practice of at least documenting the advice you give and why. Then you can build into a more formal PIA process as you get better and better at the privacy by design process.
Once you’ve gotten through the steps above, stop to give yourself a pat on the back. If your organization didn’t have a privacy program, it does now! Or at least the beginnings of one. Now you’re ready for next steps.
1) Create a Data Map
So now, take what you’ve learned and build on it so that you have a master list, or maybe a couple of different lists, showing the data you collect and where it is stored. At a minimum, you will also want to note whether user personal data is being shared outside your company. Once you do that, then think about what personal and other data is shared outside your company (and why), and document who in your company has access to each category of data.
And for extra points, figure out what access controls are in place within your company to avoid data leakage.
2) Data Protection Clauses for All Data
In addition to need to make sure personal user data is protected when shared with vendors, it’s really a good idea to make sure you have privacy and security provisions in place for any data you disclose to vendors, service providers, etc.
3) Conduct Privacy Training
It’s a good idea to train all employees who have any kind of access to user data on the privacy rules of the road as they apply to your organization. And even employees who never touch user data, like your marketing team for example, can benefit from understanding the data protection controls in place at your company, and how everyone should be protected user data.
4) Get Formal about Your PIAs
Now that you’ve gotten a sense for how to do privacy by design, start setting up an actual PIA process and document it. There are lots of templates and tools out there so you can find one that works for you and your company.
It feels like a lot of work, but it is do-able, even if you don’t have a privacy team. At Evernote, we’ve taken an approach much like the one laid out above. We focus on making sure we know what data we collect, how we use it, and how and with which service providers/data processors we share it.
We also educate our teams on privacy by design and safe handling of user data, and we’ve worked hard to implement appropriate security measures for all data. And we’re continually checking ourselves to make sure our actions stay consistent with the representations we’ve made to our users.
Think of it like packing for a trip – if you get the foundational wardrobe pieces right, and then add in a couple additional pairs of shoes or accessories – you’ll have all you need to encounter pretty much any situation.
The views expressed in this post are the author’s own and do not necessarily reflect those of Evernote and should not be used as a substitute for professional legal advice.