Who’s in Control of your Privacy Compliance? – by Lothar Determann

September 13, 2012

Author Articles, Business Management

Companies, lawyers, privacy officers, developers, marketing and IT professionals face privacy issues more and more frequently. Much information is freely available, but it can be difficult to get a grasp on a problem quickly, without getting lost in details and advocacy, and when you set out to design and implement a data privacy compliance program, you face a number of challenges.

Taking Charge

Someone needs to be in charge. If your business is a one-person sole proprietorship, then you are in charge. In larger organizations, however, there are typically a number of individual candidates or departments that could take charge of data privacy compliance, including lawyers, information technology staff, human resources and internal audit personnel. Each of these groups tend to have different approaches, strengths and limitations. Here are some factors to consider as you look for the right person or team:

  • In-house attorneys in corporate legal departments usually take an advisory role and inform others in the organization what applicable laws require, including data privacy laws. Depending on company culture and individual styles, the legal department may advise proactively or upon request. Lawyers are trained to interpret and apply laws, including data privacy laws, but not all lawyers are technology-savvy or good project managers.
  • Members of the information technology (IT) department are technology savvy, but may not find it easy to understand and apply laws. IT professionals are trained in deploying and maintaining equipment, software and services that other groups (human resources, sales, marketing, production, etc.) use to process personal data. The IT department supports these other groups and provides technology that aids other departments’ business objectives. The IT department usually establishes and implements protocols to protect personal data from unauthorized access (by deploying data security measures), but does not typically decide on access privileges for individuals or legal compliance matters.
  • Some companies have separate internal audit functions, which are concerned with monitoring and enforcing compliance with laws and internal policies. Such audit departments are focused on verifying that the rule of law or existing compliance programs is adhered to, but audit personnel do not typically define the rules. You lose an extra pair of eyes if you have the same person create and audit a program. Also, when audit personnel conduct investigations, they are at a particularly high risk of violating data privacy laws. Investigators often want to search email boxes, computers and files, interview third parties about suspicious conduct and occasionally intercept live calls and other communications without prior notice to the data subject. Therefore, some companies feel that they would be letting the fox guard the henhouse if they tasked audit staff with designing a privacy compliance program.
  • Another option is to select individuals from data user groups within a company, such as human resources or marketing. Companies that develop or sell information technology products consider data privacy not only a compliance challenge, but also a business opportunity. For example, cloud computing service providers and enterprise software and data storage providers increasingly consider data privacy laws in the product development process to ensure that their customers can effectively use the products in compliance with applicable laws. In consumer markets, however, the jury is still out about whether privacy protections are a relevant differentiator – some believe that consumers just do not care enough.

In most larger businesses, the person in charge of data privacy compliance usually comes from any of the above departments or areas of specialization. Larger companies with a great exposure or interest relating to privacy laws may decide to create a new department or office. Smaller companies may find it sufficient to put someone in charge on a part-time basis. If a company has a legal department, attorneys are usually involved in data privacy compliance. Often, legal counsels take the lead regarding data privacy compliance. But, the ideal candidate for project management does not necessarily have to be a lawyer, particularly if a company views data privacy more as a business opportunity.

Determan’s Field Guide to International Data Privacy Law Compliance‘ is now available to buy.

Lothar Determann practices and teaches international data privacy, commercial and intellectual property law. He is admitted to practice law in Germany and California, a partner with Baker & McKenzie LLP in Palo Alto, California, and recognized as one of the top 25 Intellectual Property Attorneys in California by the San Francisco / Los Angeles Daily Journal, listed in the World’s 250 Leading Patent and Technology Licensing Practitioners by the Intellectual Asset Management (IAM) Magazine and ranked as a leading lawyer in Chambers USA, Legal 500 USA and California Super Lawyers. Professor Determann has been a member of the Association of German Public Law Professors since 1999 and he teaches Data Privacy Law, Computer Law and Internet Law at UC Berkeley School of Law (Boalt Hall, since 2004), Hastings College of the Law (since 2010), Freie Universität Berlin (since 1994) and Stanford Law School (since 2011). He has previously authored three books and more than 70 articles and treatise contributions.



Subscribe to our RSS feed and social profiles to receive updates.

No comments yet.

Leave a Reply

%d bloggers like this: