With users becoming increasingly aware about consent and data privacy, understanding how clear lines of internal communication around practices and planning is the best way to mitigate potential risk is something organizations need to avoid learning the hard way.
The second episode of our second series explores how the increasing number of class action lawsuits against organizations in multiple verticals is highlighting the need for consistent communication around data privacy. With users increasingly aware of how their data is used and shared, businesses using that data have a higher duty of care when it comes to protecting and distributing it – and in making data owners aware of how, when and why it is being used or shared.
In this episode of “Need to Know” host Liz Green, EMEA Advisory & Cyber Lead at Dell Technologies, is joined by Alfred J. Saikali, Chair, Privacy and Data Security Practice, Shook, Hardy & Bacon.
Listen In To Learn
- Why clear lines of communication between departments are vital in ensuring lawful and compliant data collection and protection practices
- How the increase in consumer awareness around consent and privacy has increased the need for transparency and accountability
- What the emergence of increasing enforcement and financial sanctions means for organizations when it comes to data ethics and accountability
Foresight, not hindsight
Anticipating risk involves having a clear and thorough understanding not just of current practices and legal requirements, but those that might emerge in the near (or even distant) futures. The current wave of litigation against entities including news outlets, streaming services and adtech vendors highlights the importance of foresight when it comes to risk management – as you can’t mitigate against a risk that has already occurred.
The risks leading to these current legal ramifications could have been avoided through increased transparency and better internal communications. Taking the adtech sector as an example, many organizations are using ‘back end’ technologies on websites (such as pixels) to collect and share visitor data with third parties. The legal risk involved with inadequate disclosure could have been avoided had IT and web development teams discussed these approaches with legal teams to assess potential privacy and compliance concerns.
The current legal scrutiny of biometric identifiers is also an area where internal communication could have avoided risk. Where Information Security teams, delighted by the potential for heightened privacy opportunities from biometric data, have begun collecting user data from means such as facial recognition or retinal scanning, they have fallen foul of regulations in jurisdictions where written consent around collection and use of these data is a legal requirement. Had they paused to discuss their strategies with legal teams, they would have been able to highlight – and mitigate against – these potential risks.
(Don’t) Just Say No
“Nine times out of 10 there is a solution, it’s not that the answer is no – you just need to do it in a certain way”. – Alfred J. Saikali
While avoiding risk is the primary goal of the legal department, and it can be tempting to ‘just say no’ to eliminate even the slimmest possibility of risk, this can stymie innovation and disrupt moving an organization forward.
The role of legal teams can be more agile when it comes to responding to and embracing new technologies and trends, and by working in close collaboration with other teams, legal can be instrumental in finding positive and progressive solutions.
Similarly, biometric data collection can absolutely be used as long as local legislation, compliance and legal practices are understood and met. Information Security and IT teams, working alongside legal, can develop the right system of declared notice and written consent to both collect user biometric data and satisfy legal requirements in the given jurisdiction (or jurisdictions) that their organization is operating in.
Getting risk mitigation right
“The first step is understanding the technology and knowing if it’s something that applies to you”. – Alfred J. Saikali
Mitigating risk is about anticipating risk – too often, organizations are left needing to seek legal counsel and support after action has been taken against them because they didn’t know they were using a technology or practice that isn’t compliant or puts them and users at risk.
Understanding the technology you are using, and why, how and when it is being used, is a vital first step in establishing good risk management – knowing if there is a potential risk, and how to mitigate against it. This comes down to having clear, transparent lines of internal communication in place so that every department can understand potential risk factors and work to solve them collaboratively.
An effective method of practicing this collaboration is to hold a regular call between stakeholders across multiple departments, such as legal, HR, marketing, Information Security and IT. This is a fantastic opportunity for representatives to share information on current operations and flag potential risk, and also to discuss things at a planning level, such as onboarding new technologies and understanding the potential risks involved, and how to pivot to remain compliant.
Organizations can also look to including external counsel or partners on these calls to stay abreast of changes across the industry and legislative changes and updates in a regular way, and how this might affect strategy and levels of compliance. In the fast moving data privacy and regulation environment, merely staying up-to-date with potential risks isn’t enough – organizations need to stay steps ahead of them as well.
———
At Dell Technologies, our objective is to provide a deep and broad portfolio of products, delivering specialist solutions for our clients, and partners enabling these solutions. To find out more about our range of cyber resilience solutions and how these can help inform your security strategy, click here.
You can listen to all episodes of “Need to Know” podcast, including this conversation on … here.