General Counsel Can Lead on Privacy Compliance
By Nigel Jones
December 13, 2023
Nigel Jones is the former head of legal at Google EMEA and co-founder of the Privacy Compliance Hub.
Originally published in Today's General Counsel, December 2023
As chief problem solver, general counsel play a pivotal role in overseeing an organization’s strategy for data protection and privacy compliance. While it’s something that should involve every department throughout a company, GCs have an unparalleled point of view that balances business and legal risks. They’re uniquely placed to ensure processes are in line with applicable laws, can anticipate risks of a data breach, and help mitigate the damage if an issue occurs.
GCs are already incredibly busy. But the need to devote time and money to this problem is only becoming more acute. In one recent survey, which polled almost 900 chief legal officers from around the world, cyber security, regulation and compliance, and data privacy were rated the top issues for legal officers. The majority expect the number of privacy-related fines and other regulatory enforcement to increase this year.
With that in mind, here’s where GCs can start:
Commit to taking the first step. You probably did a little data protection work a few years ago. You know that it is out of date. You know it needs taking care of. Don’t put it off. There are easy solutions. Take some time to find the right one for you and your organization to minimize the risk of that embarrassing data breach, which will be more work and stress than putting a simple privacy management program in place.
You don’t have to be an expert. You probably aren’t. The good news is, you don’t need to be. Data protection does not require expensive lawyers and consultants to manage. All you need is a good plan, and some time set aside each month to tick off the privacy tasks that need to be taken care of.
It doesn’t have to be perfect. Lawyers love perfection. But every organization has its own particular privacy problem that it doesn’t know how to solve. It may be how to map complicated data flows; it may be its use of online advertising; it may be taming a product management team or a marketing team. Don’t let that get in the way of fixing all the other things you can take care of more easily, such as training your staff, evaluating your security, and making sure that your company is transparent about the ways in which it uses personal data. You can leave some of the hard stuff until later.
It doesn’t have to be expensive. You will need some budget, but it doesn’t have to be expensive or hard to justify. Getting privacy wrong is a risk to your business and one of your main jobs is to minimize risk. It goes without saying that the business will want to prioritize revenue and deliver great products and services. If it finds those products or services in the middle of a data breach, the impact can be devastating. Loss of reputation, loss of customers, the risk of fines, and a hefty bill to put things right are all quite possible. Plus sorting privacy costs a lot less than you think.
Get everyone involved. Getting privacy managed is not a one-off project, it is a program. It should involve everyone in an organization. Get a team of privacy champions together, agree on a plan, and continue to chip away at that plan. Slow and steady wins the race every time.
Must read intelligence for general counsel
Subscribe to the Daily Updates newsletter to be at the forefront of best practices and the latest legal news.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.