When I asked Google for the best lawyer jokes, it found 16,600,000 results in 0.43 seconds.  We love to make fun of lawyers and few people admit to liking lawyers. And yet, according to the American Bar Association, there were 1,338,678 licensed, active attorneys in the United States as of May 2018. Clearly, they must have their uses.

The truth is, laws are complicated, and sometimes you really do need an expert. This is particularly true in areas like data privacy compliance, where technology and regulatory requirements are both evolving rapidly.  Tailoring compliance and risk management solutions to your organization will require collaboration between specialized legal and technical privacy experts and your business managers.

As  Levi Carroll Judson noted in 1849:

What was law at one time, is not law now – what is law in one place, is not in another- locality, individuality, prejudice, and perpetual change, characterize the decisions of judges learned in the law.

The current spate of proposed or recently enacted privacy laws illustrate this principle all too well. The regulations are written in legal language, difficult for laypersons to understand. They may be amended or superseded, they vary significantly from one jurisdiction to another, and it is not easy to predict how authorities will choose to enforce the laws or how courts will rule on enforcement disputes.

Laws are written by politicians and lawyers in a way that is intended to be clear for lawyers and judges to understand. Similarly, Information Security standards are written by and for engineers and computer programmers. You would not ask the average lawyer to design a secure data encryption scheme; you should not rely on an engineer or computer programmer to interpret the California Consumer Privacy Act (CCPA), the European Union’s General Data Protection Regime (GDPR) or any of the other 80+ U.S. and International data privacy laws listed on this handy website.  As soon as new laws that might affect you are passed, you need legal expertise to determine if you must comply and, if so, what you need to do to comply. If you do not have that expertise in-house, you will need to enlist legal experts specializing in compliance.

As if that weren’t enough to keep track of, laws are subject to change. The CCPA was originally passed in August 2018, but it was amended at least seven times before it went into effect, and it may be further changed if the California Privacy Rights and Enforcement Act (CPRA) ballot initiative succeeds in 2020. Admittedly, the GDPR is a little bit better established, but bear in mind that although it was designed to be a single regulation that would unify diverse national privacy laws within the several EU member countries, Articles 85 – 91 allows Member States to introduce exemptions to the GDPR where necessary and establish their own conditions or more specific rules.

Furthermore, once the laws are written, the authorities charged with enforcing the laws issue guidelines, recommendations and best practice for compliance. And as enforcement of the laws are tested in court, judges will issue decisions that might affect your compliance plans. Those decisions can be surprising. In recent months, for example, we’ve seen:

Compliance is not a one-time process. Regulations may change or enforcement actions and court decisions may change the interpretation of the regulations. You may need to practice continuous compliance, revisiting your data privacy controls after any change in the regulations you are required to comply with, which requires continuing collaboration between your business managers and legal and technical privacy experts.

You must also understand how changes in your business affect your privacy controls. Any significant changes to the people, processes or technology your organization works with may change your privacy and compliance risk. This means that you might need to consider performing comprehensive privacy risk assessments regularly or after any significant changes in your organizations.

In fact, the GDPR requires organizations that control and process data to practice “Privacy by Design”, which essentially means implementing appropriate technical and organizational measures designed to implement data-protection principles when processing data. Any changes to the way that you store and process data may require changes to those technical and organizational measures.

Understanding regulations, keeping track of requirements and monitoring decisions made by regulatory authorities and courts is a significant challenge. Law firms specializing in information security and data privacy compliance have the knowledge and experience needed to determine which regulations your organization must comply with and tell you what you need to do in order to comply; information security specialists can help you figure out how to comply;  and your business managers need to integrate compliance into your business.

Infocomply champions a Measure – Comply – Thrive model of continuous privacy improvement centered on Five Best Practices:

  1. Carefully assess your organization’s business practices, revenue model and risk tolerance to inform your compliance choices as you design a compliance strategy appropriate to your available resources and risk level.
  2. Continually evaluate the regulatory landscape to ensure compliance with existing and future regulations.
  3. Enlist technical and legal partners to develop or identify the best privacy compliance platform for your unique needs.
  4. Plan to perform regular audits and attestations to measure and document privacy controls.
  5. Practice continuous privacy improvement to adjust your controls to operational, technical or regulatory changes.

Infocomply’s partner-friendly platform was designed to foster collaboration by tying internal IT departments, product teams, and internal or external legal teams into the implementation of continuous privacy improvements. Our platform provides all the necessary components for closer collaboration with your chosen legal experts, allowing for rapid response to changing requirements and faster risk remediation and mitigation.