Privacy, Compliance Pose Big Challenges for In-House Counsel

A Conversation with Heidi Maher, CGOC and IBM

In her dual role as executive director of the Compliance and Governance Oversight Council and privacy lead for Hybrid Cloud, IBM, Heidi Maher has gained considerable insight into some of the critical issues that surround data use and the protection of personal information. She shares some of her thoughts on these and other topics.

This profile is part of our comprehensive Privacy & Data Security Law Resources page.

What are the most difficult privacy and compliance issues for legal departments in the present tech environment?

For years, the legal department fought for easier and faster access to needed information within an enterprise. Once this was accomplished, in-house lawyers were shocked at the volume of data and the risk it posed, but reluctantly erred on the side of keeping data for longer than necessary so as not to get on the wrong side of a court or regulator.

The turning point came in 2016 when GDPR was adopted and there was the ensuing scramble to be compliant before its implementation in 2018. Here was a regulation with some teeth. If you don’t comply, not only will your organization be known as one that takes privacy lightly but it also comes with alarmingly high fines. So now, for in-house legal practitioners, one of their biggest challenges is having to balance their need for information with privacy and risk considerations that mandate deletion or return of data when no longer necessary for its original stated purpose.

With the proliferation of data, both within the controlled enterprise and shadow IT, this can be a bigger challenge than it seems. However, with detailed data mapping, unified governance, and robust search tools, legal practitioners have a better view into their organization’s data to make appropriate decisions regarding data retrieval (access requests, legal hold, and others) as well as retention and deletion periods.

What key legal issues will the tech sector face in the future and what would be the most effective response strategy?

The tech sector mostly caters to clients within corporate IT who need to handle the rate, pace, and complexity of change demanded by the transformation of their businesses, while at the same time, maintaining continuity of their day-to day-operations.

Part of that transformation includes a focus on how to monetize corporate data. This has led to the high demand for data scientists, data analysts, and data officers. They are tasked with getting executives needed insight into data in order to make better business decisions. However, just because the data is within the enterprise doesn’t mean it can be used for this purpose.

Most data privacy regulations dictate that consent must be captured for information to be gathered and it must be used for the purpose for which the consent was originally given. Therefore, the tech sector was compelled to build in controls within its products to allow clients to implement these requirements in a consistent manner. This resulted in a number of software and hardware products being pulled back and re-engineered to add additional privacy and security control features. Because this was a slow and costly process, technology companies now have legal expertise imbedded within their IT teams to ensure new products are built with the appropriate standards that include privacy and security by design.

Business Adjusts to Data and Privacy Rule

How might in-house legal departments be affected by the widespread introduction of 5G technology?

This is an exciting time in technological advances. 5G plays a significant part because it brings together three compelling benefits: faster data speeds, lower latency, and increased connectivity. Whereas it normally takes 100 milliseconds for information to travel across a network, with 5G it is expected to take only 1 millisecond. It’s expected to reduce signal transmission delays or latency by 90%, creating true real-time communication and quicker access to information in the cloud. These benefits will enhance consumer experience through applications such as Internet of Things and future developments in virtual reality and autonomous driving.

Before it is fully implemented, there will be legal and liability issues that should be considered because 5G’s advanced features can enable a number of novel applications and services such as remote health care/surgery, vehicle-to-vehicle communication, and public safety.

There are other impacts to consider. 5G has a shorter range than 4G and cannot go through walls. This means more cell towers will need to be erected both outside and inside buildings, giving telecom companies the ability to collect incredibly precise location data on its users. How will that data be used?  Who will have access to it? Can back doors be built into the 5G computer chips to allow foreign state actors to control our network and access our information? How much security risk can we tolerate for the benefits it promises?

Undoubtedly these issues will need to be further explored and addressed through regulation and internal compliance processes.

Return to the Privacy & Data Security Law Resources page.