By Alec Christie, Partner and James Wong, Associate
Things may seem in place but often organisations’ privacy and information security compliance is, in practice, way off the mark. With the recent approach to civil penalties in the Facebook action (and privacy fines soon to increase anyway), how can you get assurance of where your privacy compliance is really at?
Compliance in the digital age
Privacy and information security compliance has always been a moving target. In the current business environment, it’s a fast-moving target. Both the current forced move to a ‘work from home’ remote workforce and new uses of data are disrupting the most established of business models – across every sector from aviation to zoo-keeping. Meanwhile, malicious actors are getting smarter. The goalposts are shifting faster than most compliance functions can keep up with.
Coupled with ever-increasing scrutiny of how organisations responsibly and lawfully handle data (including in the midst of a pandemic), compliance generally is undergoing a process of reinvention underscored by privacy and information security compliance. However, the best of intentions (and even all the right policy moves) rarely translate into true compliance across the entirety of the organisation.
With the potential impact of the court action against Facebook in relation to the Cambridge Analytica scandal and privacy fines soon to increase to the greater of $10m and 4% of annual domestic revenue, how can you get assurance of where your privacy compliance and information security are really at?
Good policies and governance are not enough
We have seen many organisations design and implement robust policies around privacy, confidentiality and information security only to find that these are not fully reflected in the systems and processes of the organisation and, sometimes, completely ignored. This tends to stem from:
- entrenched practices/habits that are difficult to override (possibly in acquired businesses);
- a lack of awareness of what constitutes ‘personal information’;
- a static risk assessment culture;
- the internal focus of policies and procedures, leaving room for non-compliance by suppliers and service providers; and
- DIY legal experts, where employees and contractors have their own (often folklore) ideas about what is or is not allowed.
Good information security alone is not enough
We frequently see organisations that have implemented best-of-breed enterprise systems featuring all the latest security bells and whistles. This tends to lead to a false sense of compliance. In reality, it is just one of many facets of overall privacy compliance and good data governance.
A narrow focus on information security controls, especially in the BAU environment, often overlooks some basic threshold issues, including how such hold up in the current totally different work environment, leading to the need for expensive remediation later.
Compliance starts at the coalface
Your ability to comply with privacy and information security requirements, especially non-BAU, relies on the actions/inactions of everyone (including some people outside your organisation). It is impossible to design a successful privacy and information security compliance program that doesn’t account for the seemingly mundane day-to-day information practices of your organisation and of third parties.
We often see organisations attempt off-the-shelf privacy compliance and this, ultimately, contributes to a disconnect between gold standard intentions and lacklustre practices.
What is a privacy review/audit?
A privacy internal audit (where performed as part of your internal audit program) or review (where performed outside your internal audit program) is an incredibly powerful tool to determine your organisation’s current privacy and information security compliance (review). Not where you think you are or where Management hopes you are, but independent assurance of where your organisation actually is as regards privacy and information security compliance both for BAU and/or in these extraordinary times.
If you have an internal audit program, privacy and information security should be included as a core component of the program. Consider whether your internal audit team have appropriate specialist privacy expertise to conduct the review and whether the resulting findings and recommendations will be covered by legal professional privilege. In some cases, having legal privilege apply is highly recommended.
The review can be of your organisation’s overall privacy compliance (i.e. all business units) in respect of all privacy obligations both BAU and in these extraordinary times, if your delivery of services or workforce activities has significantly changed. This is a comprehensive “line in the sand” review to determine how much work has to be done to get your whole organisation to a level of overall privacy compliance that the Board or Management are comfortable with. This is particularly useful for organisations who have not been as focused on privacy and information security as they should have been, are new to the digital economy or have acquired a new business and have simply bolted this on to the existing group.
This comprehensive review is also good as an independent third party verification for those organisations that are ‘sure’ their privacy/information security compliance is top-shelf (i.e. they are fully compliant), because this is what the Board has been told. Also, a comprehensive review might be a good way to examine how your privacy and information security program holds up in a crisis such as the COVID-19 pandemic.
Alternatively, the review can be targeted at:
- your current non-BAU state of service delivery or working arrangements;
- specific business units (whether they be particularly information intensive, innovative or digital or a new business developed or acquired); and/or
- specific privacy areas or obligations (for example, obtaining consent, notifying the prescribed information at the required time, data breach capture, assessment and notification, use of the personal information across business units).
These targeted reviews are best suited to organisations that have significantly changed the way they operate to cope with COVID-19, recently developed or acquired a new business line, started to use previously collected personal information for new data analytics or projects, are innovating and digitising the way they handle information (e.g. robotic process automation or artificial intelligence, including where such is assisting in decision-making) or where only a couple of business units are information intensive.
Benefits of the review
In either case, a review gives your organisation a clear picture of where your organisation is at as regards privacy and information security maturity and compliance or how you have adapted your existing framework and processes to the ‘new normal’. The review will help you assess the organisation’s risks and the potential exposure to liability if you maintain the status quo. In addition, good review reports will also detail and advise on what is required to amend/correct processes and policies to be compliant. They will also increase the general level of privacy understanding within the organisation.
Why use privacy lawyers for the review?
Of course, the benefit of a full and frank independent review is also often seen as its major downside: that it details your organisation’s privacy and information security shortcomings in a potentially discoverable document – the smoking gun for plaintiffs/complainants and the regulator(s).
However, if the review is done by privacy lawyers there are two significant advantages:
- only a lawyer can provide legal advice/a legal opinion on: (i) compliance with privacy law; and (ii) the measures necessary to legally remedy any compliance gaps, which legal advice can be used as your organisation’s ‘defence’ against (or at least to limit) fines/penalties; and
- work product including the review report can, in appropriate circumstances, benefit from legal professional privilege and not generally be available to regulators or plaintiffs in commercial litigation, privacy complainants or the like. That is, you do not have to worry about ‘airing your dirty laundry’ in public as it is protected from forced disclosure where legal professional privilege applies.
Why the Mills Oakley’s Digital Law team?
Not every lawyer knows privacy and information security like the experienced and recognised Digital Law team at Mills Oakley. Nor can every privacy lawyer do a meaningful and useful privacy review. That is, a collaborative review that provides clear, pragmatic and commercially reasonable solutions or workarounds to address any compliance gaps identified. The Mills Oakley Digital Law team’s review report will be a collaborative (no surprises) exercise, highlighting the compliance gaps, providing ratings as to their severity (and thus potential risks to the organisation), include considered practical solutions or workarounds and realistic timeframes (as discussed with management) for achieving these fixes.
Where your organisation has an established internal audit program, we will follow your existing report style and risk ratings. We can also stagger the areas of focus across a number of audits to address particular business units and/or particular privacy obligations over a period of time.
The Digital Law team at Mills Oakley are privacy lawyers who are also experienced in providing these internal audits/reviews and, having come from a Big Four consultancy firm background, understand and will deliver concise, practical and cost-effective recommendations to meet any compliance gaps. We will also advise you as to the risks and potential liabilities of not addressing those gaps.
We are happy to work on a fixed-fee basis in respect of these audits/reviews based on the size of the review and the number of business units/privacy obligations to be reviewed.
We are happy to discuss your needs and prepare a scope of work and propose a fixed fee for you to consider. Also, understanding the COVID-19 pandemic is significantly disrupting business as usual, we are happy to offer a 20% discount off our usual fixed fees for reviews if the review is commissioned before 20 April 2020 and work on the review is completed before 31 July 2020.
Get the latest news insights and articles straight to your inbox, simply enter your details.