As the first quarter of 2021 comes to a close, cyberattacks are only gaining momentum. As we reported last month, these attacks have become big business for threat actors, and companies are working hard to be prepared. Taking stock of potential risks – and risk management techniques – can be a useful exercise in this environment. For this, tools from change management can help. Change management, particular sustainable change management, teaches us not to jump head-first into action, but first to take stock of what actions will be most helpful.
Continue Reading Understanding Risk in An Increasingly Risky World

To round out this series on right-sizing a privacy program, our last stop is thinking about the impact of working with third parties. There are many legal requirements to assess and/or to address in third party contracts when personal information is being gathered or is changing hands.

Continue Reading Elements of Right-Sized Privacy Program: Appropriately Addresses Third Parties

An effective privacy program takes into account legal requirements and litigation risk. While this series advocates for starting with strategy and designing a customized approach, this does not mean that legal obligations and risks should be ignored. Instead, by starting with strategy and focusing on customization, many legal risks can be better managed. If the legal requirement in a given law is that a data security policy addresses the risks a company faces, for example, a company is better off with a customized policy. For this reason, addressing the law can be thought of as the middle of the project, rather than the start. (See more in a recent article we published.)
Continue Reading Elements of Right-Sized Privacy Program: Addresses the Law

As mentioned in the prior post in this series, a strategically developed privacy program can help support companies in a rapidly changing legislative and enforcement environment. As part of taking a strategic approach, companies attempting to create a right-sized privacy program will want to customize their program to their company. Privacy and data security laws place bespoke obligations on companies. Privacy notices need to describe the company’s practices. Data security laws anticipate policies that are designed for the risks that the company faces.
Continue Reading Elements of Right-Sized Privacy Program: Customized

One of the biggest difficulties companies may face for effective privacy program implementation arises if they neglect strategy and focus only on the law. Namely, developing policies and procedures that mention legal requirements, but fail to address the underlying business purpose of those policies and procedures. Certainly, compliance with the law is critical. But it is not the only part. And, importantly, since regulators expect companies to follow their policies and procedures, taking time to strategize -and address how a company will comply with its policies and procedures- is critical.
Continue Reading Elements of Right-Sized Privacy Program: Strategic

Later this week, January 28, 2021 will mark International Privacy Day: a day corporations release educational efforts around privacy and data protection. There are many reasons to approach privacy proactively in 2021: (1) January 28 will mark the second week of a new US administration, one which will likely focus more on privacy and data security; and (2) laws and enforcement in this area continue to change and develop, as we reported last year. With this in mind, privacy and data security practitioners may find themselves behind with reactive approaches. Reactivity is also costly, both monetarily and resource-use wise.
Continue Reading Developing a Right-Sized Privacy Program