Lawyers can’t get privacy right alone

Modern businesses collect copious amounts of data from their customers every day – from address and credit card details, to shopping behaviour and other preferences. And as more people shifted to interact with brands online during the pandemic, the volume of available information multiplied.

Data can be an incredible resource for businesses, driving innovation, loyalty and insight. But if it’s not handled with privacy in mind, it can also lead to significant fines, a loss of reputation and a reevaluation of company practises. The ICO handed out £1.7m in fines for marketing breaches alone in 2021 and some experts predict new ICO commissioner John Edwards will issue more fines under the UK GDPR than his predecessor.

In-house lawyers understand the importance of privacy, but it’s something they tend to take responsibility for without being across the nitty gritty of this area of the law. Yet keeping up with evolving GDPR (and UK GDPR) case law and advising business leaders accordingly often comes under their purview.

Lawyers need to accept that privacy is not a one person (or perhaps even a one legal team) job, nor is it a project to be crossed off once a year. They need to acknowledge that with everything else on their plate, they are unlikely to always be on top of all the developments in data protection law. They need to delegate and spread the responsibility so that privacy is built into a company’s DNA, stretched across every department, and considered at every stage of a product’s (or service’s) lifecycle. A lawyer may not even be the best person to be in charge of this job (sorry!).

It starts with people

Everyone in a business should be involved in protecting privacy. Almost all (90%) data breaches in the UK are down to human error. So having a well trained workforce is essential, particularly with more people working remotely. Cybercrime has spiked in the past year, with many pointing to more relaxed security provisions in the home working environment. The aim should be for everyone in the organisation to understand the importance of privacy. When people understand, they care. And when they care, they’re happy to do their bit to keep data safe.

Boost empathy by emphasising that each line on a spreadsheet is a real person, and their data should be treated with the same care that we hope others use when they handle ours. Make sure employees attend training sessions regularly and know what to do if something goes wrong. Hiding a problem will only make it worse, particularly if you’re obliged to report it to the Information Commissioner’s Office (ICO).

Be proactive

With the whole organisation involved with protecting privacy, it becomes easier to be proactive, rather than just reactive to problems. It also hugely reduces the risk to the organisation as well as the stress and workload of the lawyers. At every stage of a project, staff should be asking the question – what does this mean for privacy? Appointing privacy champions in each department can help build this culture of compliance from the ground up. Younger, digital-native employees in particular want to work for companies that take privacy seriously and reflect their own ethical values. Take advantage of this enthusiasm and give them responsibility for their own department’s privacy culture.

Make privacy compliance familiar – talk about data privacy as much as possible, relate it to real life situations and invite feedback so staff feel part of the process of building good privacy practises into their organisation.

This is business critical

Apart from all the support you can drum up from employees, business leaders need to drive the charge too. They need to care about privacy openly, make it clear that it’s a priority for everyone across the organisation (not just something to be handed to the legal team). Privacy should have a place at the boardroom table, with responsibilities assigned to it and regular updates and targets.

Increasingly, privacy is becoming a competitive advantage. Big tech companies such as Apple, Firefox and even WhatsApp are making this a core part of their proposition. Customers care about it – 54% of Brits polled say they’re now more concerned about their online privacy than a year ago. There are plenty of reasons for in-house lawyers to make 2022 the year they reduce their organisation’s risk, delegate privacy and contribute to the bottom line by building a culture of continuous privacy compliance.