Last week, San Francisco was home to the Global Legal ConfEx, which brought together over 200 in-house counsel, law firm partners, and law tech professionals. The conference hosts lawyers who have operational challenges including litigation, technology, risk, compliance, GDPR and more. Further, the event provides educational panels, thought leadership, and opportunities to connect with peers.
DataGrail’s CEO & Co-founder, Daniel Barber, hosted a panel on GDPR, CCPA, Data Discovery, and Compliance to offer insight on upcoming privacy regulation. The panel featured Kai Westerwelle (Partner at Bird & Bird), Samantha Kim (Director at Robert Half), and Lara Bliesner (Senior Counsel – Data Protection & Privacy at Arm). In case you missed it, here are the top 5 takeaways from the discussion.
CCPA vs GDPR
The panel compared the two largest and most impactful regulations for the upcoming year: Europe’s GDPR and California’s Consumer Privacy Act. Samantha Kim commented that the two laws treat the affected parties differently. She relates, “There are a few key differences, one of which includes how the laws label consumers versus data subjects. Service providers and third party vendors are also classified differently and the CCPA has a few exceptions listed that aren’t present in the GDPR. It may be possible that we end up with a second version of the CCPA.”
Kai Westerwelle added, “One big difference is between unique identifiable information and anything that could possibly identify individuals. Not twins – in the CCPA it is all about residency while the GDPR is encompassing.” The CCPA specifies that businesses are not restricted in using and keeping data that is deidentified, in the aggregate consumer information area or publicly available.
Multinational Compliance
With the GDPR and Nevada’s SB 220 in effect and California’s Consumer Privacy Act coming in January, companies operating in or contacting consumers in multiple states or countries will be challenged to comply with multiple regulations simultaneously. Lara Bliesner presented points that will prove particularly difficult to solve with global regulations, including third party compliance, M&A compliance, and working with unreliable sources for data transfer. This boils down to the problems that can arise with data transfers, selling, and sharing between systems or companies. For companies to achieve compliance, they must develop a full understanding of their third-party systems and how they store, transfer, sell, share, and delete data.
Who’s Involved in Privacy
Samantha shared an interesting point that with Legal and IT involved in the process of handling privacy requests and new compliance, it’s the “first time the tech and legal world are colliding.” There is a gap between legal and tech, and companies need to have both sides of the table involved. Higher management also needs to be involved.” Lara added that HR, IT, Marketing, and Finance are involved because they care about compliance.
Mitigating Risk
Daniel followed up on the challenges of the CCPA by asking the panel about mitigating risk between complying with multiple laws, decreasing or cutting out human error, and other guidance for reducing risk.
Samantha spoke first about dealing with your customers. “We’re B2B and our customers are B2C. Floating requirements down the chain has helped with CCPA compliance, but requires ample time and planning ahead of the due date. Take care of the public-facing requirements first including Data Subject Request (DSR) processes and privacy notices.” Samantha also emphasized that it’s important for a company to understand how it accesses the data. Some have manual tasks, others have complex processes, and some use software.
Lara added having a data retention schedule can go a long way in mitigating risk and keeping a clean inventory. “Data minimization. Once you have data, have processes in place to take care of the data and only hold onto what’s needed.”
A final point on risk brought up by Kai is that “You don’t know what you don’t know. Ask yourself if there is a process in place for handling privacy requests. They can get lost and can lead to upset consumers, and potential fines.”
Expert Advice for CCPA
Daniel concluded by sharing some analyst insights and benchmark statistics from a study that DataGrail conducted earlier this year: “After speaking with analyst firms, we learned Gartner suggested implementing technology now versus later as it could save 2x in costs. Forrester suggests looking at compliance as a continuous process. The average cost for handling a DSR is $1406, and there are 26 people involved” He followed up and asked each panelist to share one piece of advice related to the CCPA, here’s what they said.
Lara: “Consumer requests – have a workflow set, have a group approach, and figure out who the contact is in each department – Sales, Marketing, Legal, IT.”
Kai: “Don’t look at privacy as a singular project. Keep the bigger picture in mind to save money in the long term. The earlier you start, the easier it is.”
Samantha: “Do the hard work now, and use GDPR as a base.”