Happy Data Privacy Day! It’s been a busy few years for privacy compliance, filled with more than a few data breaches — some at well-known companies/brands — as well as some new data privacy laws.
If those laws apply to your company, you likely have to comply as soon as they become effective, otherwise a regulator could bring an action against the company. Compliance is particularly important when you have a deal on the horizon so that your company can make data privacy representations and warranties for events such as a venture capital financing, a sale, an acquisition, or a merger. Planning in advance is the best way to avoid a deal dissolving because one, or both, parties breached the agreement due to the representations and warranties made about data privacy turned out not to be true.
But whether or not you are currently working on or towards a deal, and regardless of whether you run a large or small company, you should start working on compliance so you can sleep easy at night. We provide the below time line to help guide you through the process.
To start, your company should take the below steps as soon as possible:
- First, start mapping (taking an inventory of) the personal data you have.
- This isn’t something that is explicitly required by most privacy laws, but it enables your company to fulfill its other obligations under the law. It also helps you determine what laws apply to your company for future compliance planning.
- To map your data, you need to know the who, what, when, where, why, and how of each piece of personal data; this means you need to know who it belongs to and where they are located, what type of data you have, when you received it/deleted it, where it came from (if not from the person it describes) and where you sent it, why you have it, and how you use it. Keep the map current for the best results.
- Having a privacy notice/policy is required by several major privacy laws and can determine whether the data can be shared or transferred to the other entity. This step can make or break any deal, and even impact your ability to liquidate assets in bankruptcy — or at the very least have a notable impact on the value of the deal — because any data collected without the proper disclosures in the privacy notice will not be able to be shared with another company. This can be a very difficult problem to fix.
Finally, set up appropriate security to protect personal data. What “appropriate” means will depend on your industry, location, the type of data and processing, and other factors, but you can look to your peer companies and competitors to get a good idea of what you should be doing. You can look to online resources for security controls, but what you find should be evaluated carefully against your own circumstances to determine if it is truly “appropriate.”