What are the most difficult privacy and compliance issues for legal departments in the present tech environment?
For years, the legal department fought for easier and faster access to needed information within an enterprise. Once this was accomplished, in-house lawyers were shocked at the volume of data and the risk it posed, but reluctantly erred on the side of keeping data for longer than necessary so as not to get on the wrong side of a court or regulator.
The turning point came in 2016 when GDPR was adopted and there was the ensuing scramble to be compliant before its implementation in 2018. Here was a regulation with some teeth. If you don’t comply, not only will your organization be known as one that takes privacy lightly but it also comes with alarmingly high fines. So now, for in-house legal practitioners, one of their biggest challenges is having to balance their need for information with privacy and risk considerations that mandate deletion or return of data when no longer necessary for its original stated purpose.
With the proliferation of data, both within the controlled enterprise and shadow IT, this can be a bigger challenge than it seems. However, with detailed data mapping, unified governance, and robust search tools, legal practitioners have a better view into their organization’s data to make appropriate decisions regarding data retrieval (access requests, legal hold, and others) as well as retention and deletion periods.
What key legal issues will the tech sector face in the future and what would be the most effective response strategy?
The tech sector mostly caters to clients within corporate IT who need to handle the rate, pace, and complexity of change demanded by the transformation of their businesses, while at the same time, maintaining continuity of their day-to day-operations.
Part of that transformation includes a focus on how to monetize corporate data. This has led to the high demand for data scientists, data analysts, and data officers. They are tasked with getting executives needed insight into data in order to make better business decisions. However, just because the data is within the enterprise doesn’t mean it can be used for this purpose.
Most data privacy regulations dictate that consent must be captured for information to be gathered and it must be used for the purpose for which the consent was originally given. Therefore, the tech sector was compelled to build in controls within its products to allow clients to implement these requirements in a consistent manner. This resulted in a number of software and hardware products being pulled back and re-engineered to add additional privacy and security control features. Because this was a slow and costly process, technology companies now have legal expertise imbedded within their IT teams to ensure new products are built with the appropriate standards that include privacy and security by design.