What best practices can corporate legal departments employ for implementing processes for mitigating data privacy risk in a patchwork regulatory environment?
The looming introduction of the CCPA is forcing legal departments and compliance teams to step up their efforts to comply with the new regulations. First, however, they’ve got to gain a good understanding of what’s involved in the CCPA, and whether or not their business could fall liable under it.
Then they need to not only install processes and tools to assure compliance with the California legislation, but to potentially deal with the many “copycat” data privacy regulations being either considered or enacted in no less than 13 other U.S. states.
Avoiding the costs of non-compliance
The costs of non-compliance with the CCPA can ramp up quickly. While it might seem they’re not that imposing – a fine would cap at $7,500 per intentional violation for intentional violation, and $2,500 for an unintentional violation – those apply to individual ones; a company that fails to follow 1,000 consumer requests to delete data, even unintentionally, would be on the hook for $2.5 million in penalties.
In a litigious age, there’s another danger to corporate bottom lines that should be driving compliance efforts. It’s one the U.S. Chamber of Commerce’s Institute for Legal Reform pointed out in an April, 2017 report:
“[T]here is a growing campaign by the plaintiffs’ bar to target data privacy and security in the hopes of striking it rich in a new goldmine on the level of the asbestos litigation of the 1970s, 80s, and 90s.”
What are the steps toward effective compliance?
As explored in depth during the webinar by Stacey Myers Garrett and Justin Hectus of KYL, there are basic steps a legal department can take to make their data privacy operations more compliant with the CCPA and other data privacy regulations, whether enacted or imminent:
- Take inventory of data collection and sharing practices.
- Update privacy notices and policies with required disclosures about information collection and sharing practices, and consumer rights.
- Strategic and practical decisions: State-specific vs. all-inclusive?
- Create channels for submission of verifiable consumer access / deletion requests (toll-free telephone number and web page).
- Operationalize “Do Not Sell My Personal Information” link
- Update HR disclosures, processes and documentation.
- Update vendor / service provider processing agreements.
- Identify security gaps and update security measures.
- Educate and train employees.
- Implement consistent, repeatable, efficient protocols for authenticating and responding to access / deletion / opt-out requests, including identifying overbroad and unfounded requests.
A tool for compliance? Legal workflow automation
The KYL team have been staunch advocates of workflow automation as a way of making legal processes more efficient, responsive, and precise. They and Mitratech launched Keesal Propulsion Labs as a way of evangelizing its proven benefits to corporate legal departments.
The same efficiency and accuracy workflow automating brings to other Legal Ops and compliance processes can be extended to data privacy processes, too. That can help mitigate risk by improving responses to data privacy-related queries and requests from consumers, and ensuring that data privacy compliance best practices are embedded in every relevant workflow within a legal department or even the entire organization.
To learn much more, watch the free webinar
As with nearly every webinar featuring the experts at KYL, there’s a great deal more insight and information available by watching the session. As they point out, this is a critical moment in terms of how businesses and consumers coexisit digitally, so their advice is extremely timely and valuable.
The webinar, Navigating Data Privacy for Legal Teams, is free and available on demand, so take the time to see what more they’ve got to say about how corporate legal teams can confront data privacy compliance challenges.