Amid ever-tightening global data regulation, Lawyer Monthly invited Todd Ruback, Chief Privacy Officer & VP of Legal Affairs at Evidon, to share his insight on navigating the new data protection compliance climate.
Todd discusses shifts in the ways companies view data protection, how they impact the legal community, and the best way firms can adapt. As Chief Privacy Officer and VP of Legal Affairs at Evidon, a global technology company that produces governance, risk and compliance tools for data protection laws, at Evidon, he has plenty of experience to draw upon.
Privacy law is undergoing a shift: what’s changing and why?
Laws naturally follow evolving business practices and privacy is no exception. Business today is digital, which needs data to flow easily and almost anywhere, forcing a paradigm shift away from the traditional notion of borders toward a borderless world—at least as far as commerce is concerned. Thus, we are seeing the emergence of global standards — in the form of laws or principles. The EU's General Data Protection Regulation (GDPR) is such an example. Fundamentally, an update of current EU data protection laws, the GDPR aims to give control over personal data back to consumers by establishing new individual rights, while at the same time beefing up obligations of the companies that collect personal data. What makes the GDPR especially important is its remit, namely that it applies to any organisation that offers its services to an EU resident, is established in the EU, or is engaged in website monitoring. The remit sweeps up just about everyone.
Yet while the GDPR is proscriptive in nature, it is not prohibitive, and will serve as a single global standard for many multi-national organisations to benchmark against. Since the US doesn’t have its own national privacy law and the EU is a critical trading partner, many US based multinational companies will adopt the GDPR as its global data protection standard. In fact, the GDPR will become the de facto national privacy law in the US.
How do law firms need to prepare their clients for regulatory changes?
Now more than ever, organisations need trusted business advisers, who not only have a deep understanding of what regulations entail, the details and nuances, but also how the law affects the particulars of the business. The GDPR will force companies to re-think their relationship to data — what they collect, the way it is stored, and how they use it — as well as change how websites work. Consent management, an emerging discipline, will become a central pillar for any website in the near future. There are many law firms that explain laws to their clients, but what clients really need to know is how it affects them and what they can do to turn new regulations and obligations into a strategic advantage. That's true added value. This unique knowledge set is what will separate the winners from the herd in the legal community.
Are businesses fully aware of the effects of the General Data Protection Regulation?
It depends on the business, industry, and jurisdiction. Generally, I see organisations that are already operating in heavily regulated areas, like financial services, taking the GDPR in their stride. Yet there is a need for greater awareness in industries, such as martech and adtech, of the challenges it presents for digital advertising. For example, the GDPR introduces a new consumer right — the right to object to profiling — which will directly impact the way advertisers, and their supply chain partners, track consumers.
Firstly, they will be legally required to obtain unambiguous permission from individuals to use their data. Secondly, advertisers will need to have comprehensive knowledge of how data is collected, stored, deployed and protected, both internally and by third-party vendors. So, ensuring every stage of processing is compliant will be a significant activity for advertisers, necessitating constant database assessment, organisation and cleansing to avoid a breach. But many are waiting for a few leaders to step forward, and thinking they can find regulatory safety by hiding in the shadows. This is not a wise strategy.
The legal world has been focused on the General Data Protection Regulation for a few months now; is the industry paying enough attention to the ePrivacy Regulation?
The GDPR and ePrivacy are both critically important. The ePrivacy Directive is presently going through it’s own legislative overhaul, specifically to close any gaps ePrivacy may have with the GDPR. The proposed legislation most likely won’t be effective contemporaneously with the GDPR, on 25 May 2018, but it may not matter because ePrivacy will adopt the existing data protection framework, in this case the GDPR. That means that whatever the outcome of the ePrivacy overhaul, the ‘consent’ as defined by the GDPR will be the new standard. We can expect then, that both ‘implied’ and ‘explicit’ consent—the existing form of consent in today’s ePrivacy Directive—to be replaced by the GDPR’s ‘prior consent’ approach, which promotes specific, clear and unambiguous consent to process someone’s personal data. This heightened level of consent will be especially vexing for the martech industry, which often collects personal data on websites, but doesn’t have a nexus with the website visitor. It will be left to the website itself to get consent on behalf of these invisible companies.
However, caveat emptor with regards to the ePrivacy Regulation, because it not only will adopt a tough new level of consent, but not getting consent right will open the door to GDPR levels of penalties, up to €20 million or 4% of global turnover, whichever is more. Where the ePrivacy Directive was inconsistently enforced and didn’t have much monetary risk for non-compliance, the ePrivacy Regulation, will be just the opposite: well enforced because it’s easy for the enforcement authorities to see a consent solution, and the penalties can be crippling, if not fatal. It will be a shame if this happens, but it will also be the catalyst to nudge the market into compliance.
How do you expect privacy law to change in the future, and what advice should firms give to prepare their clients for this?
I would suggest firms be on the lookout for the emergence of more notice and consent laws, most likely through revisions to existing national privacy laws around the world. These laws will be aligned and both the GDPR and the ePrivacy Regulation will require companies to be more accountable for their actions and rethink their data strategies. Companies will also need to consider how they can go beyond simple compliance. By exceeding legal standards, they can be ahead of consumers’ increasing privacy expectations and may be able to future proof themselves.
Todd is the Chief Privacy Officer & VP of Legal Affairs at Evidon, Inc. where his responsibilities include overseeing the company’s privacy practices, engaging with the privacy community, and managing the legal department. He holds privacy certifications as a CIPP-US/E and CIPT through the International Association of Privacy Professionals. Prior to Evidon, he was head of the privacy and technology practice at the law firm of DiFrancesco, Bateman, Coley in Warren, New Jersey and was also President of the Privacy Special Section of the New Jersey State Bar Association. Todd attended the University of Denver where he received both his BA and his JD.
Evidon is a global technology company focused on simplifying the complex world of Digital Governance. As companies add more marketing and advertising technology to maximize the return on their digital investment, building consumer trust has become ever more important. Fulfilling this promise requires organizations to have a comprehensive approach to govern data collection across their sites, apps, and ads while staying in compliance with global regulations. The world’s leading brands rely on Evidon to empower their Digital Governance success across millions of web pages and apps that drive billions of online revenue.