k royal, PhD, JD
Phone a [consulting] friend!
By K Royal @HeartofPrivacy | Published | No Comments
Ever had a leaky pipe and thought you could fix it? Generally, unless you’re a plumber, you can’t fix it, it takes triple the amount of time to do so if you can, or you may even make it worse. Perhaps you cannot even identify the real problem and only fix the symptoms. Call a plumber.
Or – (from my nursing experiences) – you use “Dr. Google” to self-diagnose and treat. Sometimes that works. Sometimes it helps you triage to determine… yeah, you should go to the ER. Sometimes, you’re stuck on social media documenting yourself having an anaphylactic reaction when you should be calling 911. Real story.
The same comes to privacy. As a privacy consultant, (working in a non-attorney role…. so none of this is legal advice), I can assure you the same applies to data protection. If you are not experienced and knowledgeable in privacy, don’t roll the dice. Call someone who knows the field. Attorneys have expertise, but like doctors, that expertise is honed over the years to the areas in which they practice. Trust me (cause I am a lawyer), I will not advise you on patents or corporate securities or criminal law. I will tell you to call an expert in those areas.
If you are an attorney, corporate executive, or business unit owner, please understand that privacy a very specialized, complex, new, rapidly changing, and nuanced area of the law. It is definitely a topic that you should pick up the phone (or open an email) and contact someone who does know. This is not something to get wrong. There are major repercussions to getting privacy wrong – fines, inability to conduct business, lawsuits, devaluation of corporate assets for potential acquisitions, impact to IP, reputational damage, regulatory investigations, congressional inquiries, and so many more.
As an in-house attorney, your strength is focusing on resource management, identifying legal areas where there may be gaps, viewing the big picture, and living the trust that the executives, company, and consumers have in you. Think about it – you typically outsource litigation because you want the expertise of someone who knows the field. You are the one who brings the stakeholders to the table and reinforces the need. You may not have the right internal resources to get the information you need quickly, accurately, and in scope. If there was nothing else on your plate, this might be a different article.
Please raise your hand if there is nothing else on your plate….
There is probably something in privacy law that applies to your company. If you collect personal data – whether employees, consumers, vendors, customers – there is probably something. If there is nothing, get it documented by an objective third party. If it’s not written down, it is hard to prove that you even thought about it.
Also, carefully consider what qualifies as “personal data.” If you do business in more than one country, then you have at least two perspectives on what is personal data. Get someone who knows the nuances to evaluate the data you have. Don’t take the risk of guessing unless you are willing to accept the risks of being wrong.
“Privacy” is not merely compliance – it is data management. It is the guidelines that tell us what data can be collected, processed, retained, shared, combined, analyzed, and destroyed. If you have cookies on your website, then you need to know what laws apply to those cookies. If you are emailing people about business offers, you need to know what laws apply to those emails. It’s all about data. And if you build it right; if you manage it right – you can still have the data you need, but maybe not necessarily the data you want. Ask someone who knows.
Just like HIPAA was never meant to interfere in patient care, privacy laws are not meant to interfere in business. They are meant to ensure that as a business, you are taking responsibility for what you are doing with data and being transparent about it. And if there is a reason not to be transparent about data practices, there is probably a reason not to engage in those data practices. Get a privacy expert opinion.
An ounce of prevention is worth a pound of cure.
