In-House Counsel Can “Raise the Bar” on Data Oversight

Data privacy is one of the biggest challenges in business. With new regulations, changing technologies, and economic uncertainties heightened?by cyberattacks, businesses face intense pressure to stay ahead of the curve in ways that satisfy customers and regulators.?

This year, Bloomberg Law’s annual In-House Forum spotlighted data and privacy practices. Hosted in New York City, the forum?featured a panel of industry leaders who spoke to an?in-person and a virtual audience about privacy implementation, oversight challenges, and best practices, so that organizations?can raise their data and privacy bar from within.?

Managing Regulatory Changes?

Few companies have a pulse on data and privacy, as well as Zoom Video Communications, does. Fittingly, Zoom’s Chief Privacy, Compliance and Ethics Officer, Deputy General Counsel Lynn H. kicked off the forum by reflecting on the company’s commitment to privacy amid the uptick in global regulatory enforcement.??

“With privacy and security, you need to do it from the beginning,” said Haaland. During the outset of the pandemic, she and her team deployed new features on Zoom, including a safety tool to remove participants from meetings when needed as well as a trust and safety report system.?

Regulations like General Data Protection Regulation (GDPR) are a “high watermark” for compliance, according to Haaland. She mentioned how companies should keep customers top of mind and abide by transparency principles, with?disclaimers in plain English.?

Reporting to Stakeholders?

During a real-time poll at Bloomberg Law’s In-House Forum,?audience members weighed in that they thought?that boards of directors are not actively involved in overseeing privacy and data management matters, even though strong privacy?governance hinges on company-wide participation.?

“While it’s not mandatory, I’d love for boardrooms [to] mandate privacy oversight,” said Kristie Chon Flynn , Google’s Senior Director of Privacy Engineering and Data Governance, during a panel discussion.??

As she noted, boards of directors are typically made up of people with financial and operations backgrounds. But Flynn, who sits on several boards across Google and its legal entities, said that having a data security?point person is ideal.?

“You need that expertise to ask the right questions [and] to oversee effectively,” said Flynn.?

Data Oversight: A ‘Team Sport’?

Data oversight requires a “centralized and federated” model, according to?Flynn. At Google, she mentioned?that user experience teams integrate data safeguards at the design phase. Then, within each department, there are dedicated privacy roles – not just in legal and compliance – to access user sentiment about privacy from an internal tooling perspective to an external product launch.?

“Privacy is becoming a team sport,” said Serena Palumbo (Esq. CIPP/US) , ING Financial Holdings’ Data Protection Officer. “You can’t just have somebody in their white tower who’s making decisions,” added?Lincoln Financial Group’s Chief Privacy Officer, Jana Landon, CIPP/US, CIPM .?

At a board level, broader regulatory compliance can?strengthen?members’ data knowledge and oversight involvement. At ING, for example, GDPR compliance now means: “We have more awareness [of data protection policies] at the board level,” Palumbo said. Global Chief Privacy Officer of ADP Jason Albert stated the board was “very involved” in the decision to cement the European Union’s binding corporate rules into compliance programs.?

Beyond the GDPR, boards must remember that data risks shift. “It’s a bit of an art, [and] a bit of a science,” Landon said. She?added that many sources should inform risk assessments, such as consumer advocacy groups, benchmarking against peers, and “external gut checks.”??

Building Trust?

Effective data oversight rests on customer trust.?

Session replay spyware used to track customer movements have resulted in class-action lawsuits. A former Corporate Security Chief has been convicted on federal charges for concealing a data breach. Such?incidents underscore?what can go wrong when trust is breached, and a?panel of experts discussed how to build trust from the ground up.

“The question of personal liability and retroactive decision-making is something everyone needs to know more about,” said Flora J. Garcia , former Global Privacy and Data Protection Office Leader at Wayfair. “To say CISOs are universally accountable for any breach on their watch – that whole concept of personal liability in the U.S. is very foreign.”?

PayPal’s Chief Information Security Officer and Vice President of Enterprise Cyber Security Assaf Keren added that “trust must be part of a brand. A company’s infrastructure can advance this aim, but they must start with the basics.”?

“If I’m building a privacy program, create a baseline that gets you there for most of the laws,” said Jessica B. Lee , Partner at Loeb & Loeb. “Data program flexibility is key.”

Richard Cohen, CIPP/E , Foot Locker’s Chief Privacy Officer and Associate General Counsel noted how robust?infrastructure helps navigate a fast-evolving landscape, including?a myriad of data processing agreements under the?GDPR, the heightened cyber exposure risk posed by work-from-home, and digital marketing teams with a “data maximization mindset” that are at odds with “data minimization” laws.?

Businesses can weather this complexity by knowing the law, creating strong privacy infrastructures, and building trust. “Being a good steward of customer data [will] pay dividends,” Cohen said.?

Find Data Allies?

In the coming years, businesses will face numerous data developments.?Among them are new opt-in laws that “cause friction” with customer journeys, according to Lee. Keren added that regulators worldwide will continue the push for “better and faster” security incident disclosures, with broader definitions of an “incident.”?

Panelists also discussed how legislators will push for sweeping child privacy measures, how the Securities and Exchange Commission (SEC) will soon require annual filings with disclosure of internal policies to manage cyber risk, and how the proposed federal online privacy bill American Data Privacy and Protection Act will continue to generate business scrutiny.?

That said,?businesses should seek data allies. Garcia recommends finding people inside and outside an organization – from GC, to engineers, to interns.?“Find the people who have interest in it,” Garcia said. “That counts for a lot.”

To learn more about managing data and customer privacy,?click here?to view a CLE-eligible replay of this year’s In-House Forum.