Focusing solely on “compliance” with applicable laws is an inefficient approach and should only be considered in specific circumstances.
Under such an approach, a business must review each law and its associated regulations to:
- determine whether it must comply,
- figure out what compliance looks like,
- put together a roadmap to achieve compliance in a timely manner, and
- select and properly configure the tools necessary to achieve and maintain compliance.
By the time that all occurs, new laws and regulations have likely taken effect that may impact the prior assessment and implementation. This ad-hoc compliance practice is only a workable solution for smaller organizations or when used as a temporary stop-gap measure.
Instead, consider developing an internal privacy program for your organization that addresses the fundamental goals of privacy legislation. Consider, for example, what information you collect and use, why you collect and use that information, whether and how you disclose your use of that information to your customers, how you secure that information, and how long you retain that information. Use your answers to these questions (and others) to make data privacy a core principle in your organization. With privacy as a focal point, compliance with existing and future data-privacy laws will be less disruptive to your organization. Your IT Department will thank you, too! Most importantly, you’ll be able to use your organization’s dedication to privacy as a differentiating factor in the marketplace as consumers become more aware and more demanding.
Jeffrey A. May practices in the areas of general business law, intellectual property, and litigation with a focus on the increasingly important area of Cybersecurity and Data Privacy Law. He is credentialed as a Certified Information Privacy Professional/United States (CIPP/US). He has prior experience owning and operating a technology-based business. His experience and education allow him to assist clients with a wide range of business issues and litigation matters. Jeffrey helps clients identify and mitigate risks related to data security incidents and breaches. He also helps with information technology policies and practices, and data sharing arrangements with third parties.
Other posts to consider: