DataGrail recently interviewed Scott Giordano, IAPP Fellow of Information Privacy, VP of data protection at Spirion and data privacy attorney, to bring you insights from a leading legal professional in the field of data privacy.
DG: How has your role as a data privacy attorney evolved over the past 5 years?
SG: About five years ago, there were some sectors taking privacy seriously. For example, I worked with a defense contractor and they took privacy seriously, which was great. Over time, and it was a slow uptick, every industry began to take data privacy more seriously. I think that came because of GDPR. It got so much attention that I think even industries that wouldn’t pay spend much time thinking about GDPR suddenly had to. For example, a bank with only U.S. customers wouldn’t have to worry about GDPR; however, their customers demanded it become GDPR compliant.
It’s interesting how over the course of the last five years, privacy has evolved into something that’s very common now, where before it was a very specialized area, like financial, healthcare, defense, and a couple of other sectors. Now it is almost a household item.
And the role of a data privacy attorney has changed in many ways. Beyond five years ago, it was what I call an “inbox operation,” where the client would give you very specific tasks to do to help advise them on the best course of action on compliance. Now inside counsel, you’re asked to become involved early in product development, understanding the privacy implications of the features and knowing what you have to do to become compliant. You’re asked to be much more proactive in everything you do.
DG: How can firms reassure customers that their privacy is handled with care by the data protection team?
SG: What kind of risk assessment have they done? Has the organization conducted a thorough risk assessment, and what areas have they assessed? There are different types of risk assessments. It can be just an enterprise assessment, which is nice but not overly helpful. The opposite of that is a Data Protection Impact Assessment (DPIA), which is for an application or process that utilizes personal data. When you have done a DPIA and have someone, like the CISO, DPO, etc., who has signed off on it to acknowledge the results and plan for improvement, that’s a great way to show that you are taking privacy seriously.
DG: With no concrete federal privacy regulation in the near future, what do you anticipate happening in the regulatory landscape in the US in coming months?
SG: What I anticipate is more of what’s happening now: a quiet revolution of state data protection laws and regulations. People tend to gravitate toward the CCPA, but in the last year, nine or ten other states also passed their own privacy and security regulations. And they weren’t just breach notifications. A lot of them addressed standards for third parties, some addressed internal organizational controls, and some addressed exposure of personal data. We’re seeing more this year. My state, Washington, is considering legislation for the Washington state version of CCPA. I suspect it will pass into law because it’s not a partisan issue, and I don’t see a lot of opposition on that basis. The fact that it’s not a partisan issue bodes well for its passage. [Note: the Washington Senate did pass a consumer privacy bill, 46-1, shortly after this interview took place.]
We are seeing some states taking more narrow approach like biometric privacy laws or changing aspects of other privacy laws. The net result is we are seeing a quiet revolution of state data protection laws. I expect by the end of the year, we’ll see a lot more on the books. It’s a different dynamic than I’ve ever seen before.
But I think the train has left the station as far as a federal privacy law. If there is one, it won’t pre-empt state laws. They may set a floor, but they won’t set a ceiling because states have invested so much in their privacy laws.
DG: What are the best ways for firms to reduce compliance risk for upcoming legislation in the US?
SG: Far and away, the best way is to have a very good idea of the personal data you are possessing and processing and find ways to reduce it. We tend to collect a lot of data we don’t think we’re going to need but we collect anyway, just in case. Turn that on its head and say, if we don’t need it, we aren’t going to collect it. If we don’t have it, it’s not there to steal or to lose. That’s a great way to reduce your exposure.
Then you can look at the data you do have and come up with a way to create a bigger fence around a smaller area. With that mentality, that strategy, you are in a much better position to protect personal data.
DG: How have you seen the data privacy landscape change from a legal perspective over the past 3 years?
SG: I think the most important change is the union of security and privacy disciplines. This is something the EU got right a couple of decades ago with the Data Protection Directive, which covered everything. Traditionally in the US, we have a privacy track and security track, but now we’re beginning to see them merge. That’s good. It means legal is getting involved earlier. Because they are getting involved earlier, it is preventing a lot of mistakes from happening later down the road. I can’t tell you how many times in the past I’ve gotten calls from people asking me to look at a contract that is scheduled to be signed the next day. When you bring in legal that late, it’s hard to fix things. Consequently, looking a data protection as a discipline, bringing in legal early, works for everyone’s benefit. That single discipline is going to make a big difference in protecting data.
DG: What are the biggest challenges firms face when adapting to guidelines set by the CCPA and GDPR?
SG: Some companies take a very hands-off approach and say there’s nothing we can do, or it doesn’t apply to us, or we’ll wait until we get fined. I think that’s the wrong approach. I’ve seen cases where companies were affected by GDPR and didn’t want to address it, and I think that’s going to hurt them over the long haul. Whereas, organizations that take an incremental approach, do a risk assessment, and do whatever they can do to improve over time are more likely to be successful.
DG: With rising consumer demand, how will businesses adapt to greater privacy focus and transparency with data practices?
SG: A lot of this is going to revolve around determining what is done with the data and being able to translate that into something that’s very simple for the consumer to accept or deny. One of the problems we’re having now is if you read an end user license agreement, you might have 20 or 30 different uses of personal data but you’re checking a single box saying I agree. The problem is that it is all or nothing, and that approach is rejected by the EU and GDPR.
Check out our previous Interview Series with Jennee DeVore, Corporate Counsel at Penumbra!