Apologies for the alarmist tone – and the riff from “Game of Thrones” – but the reality is that digital privacy is increasingly a legislative priority. For example, the recently enacted General Data Protection Regulation (GDPR) issued by the European Union imposes a new paradigm on the privacy landscape, requiring sweeping changes to how organizations collect, process and store personal information. GDPR applies to any organization that collects “personal data” of individuals residing in the EU, regardless of the organization’s location.
GDPR is a foreshadow of changes brewing domestically, both on the Federal and state level. For example, California has recently passed – and will soon enact – a digital privacy law creating one of the most significant regulations overseeing the data-collection practices of companies in the United States. Putting aside regulatory issues, the risks from data breaches alone should be a sufficient catalyst for organizations to prioritize privacy and cybersecurity. Indeed, with data breaches growing more prevalent every year (and the penalties and reputational harm that inevitably follows) – and with the regulatory landscape becoming more complex – it is essential organizations assess and improve their privacy practices today!
Below are some initial steps to help organizations improve internal controls and minimize risk:
- Privacy Audit – A privacy audit is a process to identify, across the organization, the types of personal information collected, the ways in which it is protected, and with whom such information is shared. Many organizations collect more personal information than needed, keep it longer than necessary, and don’t have appropriate protections and safeguards in place to protect it. The results of the audit – in consultation with your privacy legal counsel – will help your organization to better protect and manage the data you collect.
- Regulatory Readiness – It’s essential that your organization clearly understands which privacy regulations are applicable, and then take appropriate steps for compliance. For example, if GDPR applies, then you will need to address a variety of requirements including a) inserting specific disclosures, rights and remedies for EU residents into your website privacy policy; b) making sure that all third-party vendor agreements contain specific provisions related to GDPR; c) conforming your “opt ins.”
- Vendor Partner Vulnerability – Organizations are increasingly relying on third-party vendors to hold and process personal information. As many data breaches are vendor related, vigorously negotiating these agreements (and reviewing and assessing the ones you have already signed) to ensure your organization is properly protected is essential. Key terms to address in every agreement include:
- adjustments to the limitation of liability of the vendor, including specific “carve-outs” for data breaches
- reimbursements for legally required data-breach notifications and remediation
- specific data privacy and security requirements.
- Cybersecurity Insurance – A cyber security insurance policy is designed to help organizations mitigate risk exposure by offsetting costs and expenses involved with both direct losses to your organization, as well as for claims by third parties, such as donors. All policies need to be carefully reviewed and negotiated to make sure they provide adequate protections and remedies.
Certainly, for most organizations there is much to do to address data privacy and security in today’s changing landscape. The “silver lining” here is that taking these initial steps will minimize your organization’s risks and make you better stewards of the personal information you collect.
Jon Dartley
Attorney At Law – Of Counsel
Perlman & Perlman, LLP