An effective privacy program takes into account legal requirements and litigation risk. While this series advocates for starting with strategy and designing a customized approach, this does not mean that legal obligations and risks should be ignored. Instead, by starting with strategy and focusing on customization, many legal risks can be better managed. If the legal requirement in a given law is that a data security policy addresses the risks a company faces, for example, a company is better off with a customized policy. For this reason, addressing the law can be thought of as the middle of the project, rather than the start. (See more in a recent article we published.)

When addressing the law, companies should avoid thinking of them as static requirements. Not only will existing laws change (for example, the many modifications that were made in 2020 to California’s privacy law and related regulations), but new laws are constantly on the horizon. Litigation similarly is on the rise for an expanding set of corporate activities (see, for example, lawsuits around a collection of biometric information, an activity almost unheard of ten years ago).

Putting it Into Practice: Any privacy program needs to take into account a wide variety of issues, and legal risks should not be overlooked. Properly addressing them, though, requires more than just reviewing their requirements, but also thinking about how the company can, practically, put appropriate policies and procedures in place.