Data privacy laws are changing fast, and legal departments can’t bring companies up to speed alone.
A survey from Integris Software released this week found around half of privacy budgets are concentrated in information technology departments. Out of more than 250 respondents, around 90 percent said they were involved in IT operations. Nearly 70 percent were also involved in legal decisions, and more than 85 percent worked with risk and compliance.
“As the privacy conversation evolves, and it’s evolving rapidly, that partnership is becoming much tighter … we’re finding that classical divisions between what lawyers do and what technologists do are becoming very blurred and those cross-functional teams are a necessity now for compliance,” Kristina Bergman, the chief executive officer of Integris, told Corporate Counsel.
Privacy lawyers said they’ve seen legal departments work closely with IT to design and implement procedures related to the European Union’s General Data Protection Regulation, which went into effect in May 2018. Only around 36 percent of Integris survey respondents said their companies were “fully prepared” for GDPR.
Lydia de la Torre, a privacy law fellow at Santa Clara University School of Law and former in-house privacy lawyer for Axiom and PayPal, said that’s because many companies are still working out data processes.
While in-house counsel may have drafted GDPR-ready privacy policies, enacting procedures that adequately handle and store user data or allow companies to respond to user requests can take more time. She said some legal teams may not have worked with IT to automate these processes for data across all systems.
“That actually creates a challenge, from a technology perspective,” de la Torre said. “How do you make sure that you can not only comply, but comply at a scale, and comply in a way that is cost-effective? I think that’s where the major challenge exists today.”
When it comes to “more than just updating your data privacy notice,” Anna Gassot, a privacy associate at Fieldfisher and former in-house counsel, said legal departments need to form teams involving more than just legal.
She suggested legal should appoint “privacy champions” in other impacted departments, such as IT or human relations, which deals with sensitive personal data. The appointed representative should be responsible for bringing new products, procedures or concerns to legal to collaborate and ensure privacy standards are met.
It’s also a good idea to train all employees, including engineers building tools to handle data, on GDPR and the California Consumer Privacy Act, Gassot said. According to Integris’ survey, around half of respondents said their preparedness level for CCPA, which is set to go into effect next year, is “basic only.”
“Bring together a team of individuals who represent different stakeholders, who can put together a plan and implement it,” de la Torre said. “And it’s not going to be legal only. Legal only cannot operationalize the requirements.”