On September 17, 2019, Amanda Witt, co-leader of Kilpatrick Townsend’s Cybersecurity, Privacy and Data Governance practice, moderated a panel for the International Section of the Georgia Bar that consisted of seasoned in-house privacy professionals. Specifically, such panel included Pamela Garay, Assistant Vice President and International Privacy Officer of Assurant, Trish Marcucci, Assistant Vice President & Senior Legal Counsel of AT&T and Bruce Sarkisian, Privacy Counsel of the Coca-Cola Company.
The panel addressed and compared how their respective organizations tackle the growing challenge of complying with different, and something conflicting, privacy regimes across the globe.
The following are takeaways from the session:
1. Building a Global Privacy Program. The panelists generally agreed that using and developing country-specific privacy programs is no longer feasible given the growing number of countries that have introduced comprehensive privacy regimes. Instead, global organizations are developing a global privacy program and policy that describes the program’s core features, supplemented by disclosures/sections for specific countries or regions and based on common privacy principles (or themes).
2. Data Subject Requests—Automatic versus Manual Response. Many organizations currently handle data subject requests (such as access or deletion) through a privacy email account/portal managed by Privacy, Compliance, Legal and/or IT personnel. However, the panelists expect that the number of requests will increase as we near the effective date of the California Consumer Privacy Act (CCPA) on January 1, 2020. As such, companies may need to implement an automated process for handling data subject access requests. That process must be able to both verify a user and track a user’s request. For large, complex organizations, it is generally very difficult to fully automate data subject access requests (“DSARs”) due to the need to collect data from multiple systems, locations and technologies (primarily due to legacy systems). At a minimum, the automated system needs to be able to handle request intake and track the request as it moves through the organization.
3. Global guidelines with local customization. To design a global compliance program, it is helpful to identify common themes in global privacy laws. Specifically, privacy laws adopted in Europe, Latin America and the United States address the following common themes: an organization’s use of individual personal information, transparency and notice, individual rights, breach notification procedures and reasonable security measures. When developing a privacy program, the panelists noted that personnel responsible for handling privacy compliance must identify similarities among privacy regimes around the globe. Having identified those similarities, organizations should focus compliance resources on meeting common requirements.
4. Use internal resources for data mapping. Data mapping is either required or helpful for complying with many privacy regimes. Completing mapping using internal resources often yields better results, according to the panelists. Employees already familiar with an organization’s structure are more likely to capture the full scope of an organization’s processing. However, panelists added that the additional resources provided by retaining outside firms may be required given the time investment required to complete mapping.
5. Sustaining privacy compliance—implementing privacy by design. Even if organizations implement a state of the art privacy program, privacy professionals within an organization should implement an ongoing compliance program. The panelists recommended establishing privacy champions in specific departments, countries or regions, adding required privacy review of new data use cases, and providing regular privacy training all bolstered ongoing compliance.