Building a Data Privacy Response Plan:


Things move quickly when it comes to data privacy rights. Not long ago, California passed an amendment to the California Consumer Privacy Act (CCPA). The amendment called the California Privacy Rights Act (CPRA) that expands on the CCPA’s provisions and creates a new state agency to oversee privacy. Privacy laws and regulations similar to this are being passed all across the Unites States and the world.

When handling litigation, it is best to have a data privacy response plan in place. The below can be used to help assess your organization’s responsibilities and form a plan.

  1. Understand Your Responsibilities – It is necessary to understand the implications of your organization. Do you do business in a jurisdiction or industry covered by privacy law? Are your customers in such jurisdictions? These are important questions to answer because there is nuance on who the laws apply to and the scope of regulation.
  1. Form an Inter-Departmental Working Group – Legal, privacy, and compliance functions will eventually merge into a single, cross-functional team for handling data-privacy requests. In the past, these teams have worked individually, but need to come together with IT and business groups to handle data mapping for the organization as a whole. Having an inter-departmental group is beneficial to see how different departments are collecting and storing information and how it is being used.
  1. Know What Information You’re Looking For – Personal information covers a wide range of data that includes addresses, financial data, biometrics, geolocation, browser history, and audio-visual assets. An organization needs to know the range of personal data it has and how different departments might overlap in the information they collect or have completely different type of information.
  1. Establish a Consistent Approach and Pressure-Test It – This can be challenging since various privacy laws are not consistent. The first step is to create a standard way to receive privacy-related requests. A consistent approach to intake is key. Always look at the same data sources, use the same systems to perform searches, redact the same information, and report in a similar format. These policies and procedures should be implemented across the entire organization by communicating them properly to employees and providing training.

While this may seem like a daunting task, there are already a lot of parallels between handling privacy-related matters and what your organization is already doing for litigation. In litigation, you must identify what data you have, collect it, review it for any proprietary information, and then deliver it. This is very similar to the process for legal holds and eDiscovery. Building a data response plan by establishing a consistent process and facilitating cross-team collaboration will make any organization better equipped to handle any and all current and future developments in data privacy.


For more Tidbits & Thoughts, please click here.