woman with a suitcase being chased by a clock

Data protection is a critical issue for all organisations operating in the digital era. And it’s something GCs play an integral role in protecting. Your focus on business risk as much as legal risk, and unique position as chief problem solver, means you need to be well informed about ongoing legal developments and collaborate with multiple departments in a company. 

While privacy compliance isn’t just a legal issue and should involve the whole company, it’s something GCs are often expected to lead on, ensuring procedures are in lockstep with any applicable laws and helping to anticipate and mitigate any damage when or if a data breach occurs. And with a recent survey revealing over half of businesses suffered a data breach in the last 24 months, the odds of a data breach occurring under your watch are shortening. 

The Association of Corporate Counsel (ACC) 2023 Chief Legal Officers Survey, which surveyed almost 900 chief legal officers (CLOs) from 35 countries, found cybersecurity, regulation and compliance, and data privacy are seen as the three most important issues facing CLOs today. More than two thirds expect the volume of privacy related regulatory enforcement to increase in 2023.

As a GC, you know it’s a busy job, with multiple priorities jostling for time and budget. But it is possible to get on top of privacy, and build a culture of ongoing compliance within your organisation. Here’s how: 

1. Don’t put it off

You probably did a little data protection work a few years ago. You know that it is out of date. You know it needs taking care of. Don’t put it off. The longer you put it off, the worse it will get and the more you’ll worry about it. There are easy solutions that can put your mind at ease.  Take some time to find the right solution for you and your organisation so that you minimise the risk of that embarrassing data breach which you know will be way more work and stress than putting a simple privacy management programme in place.

2. Don’t worry that you’re not an expert

You’re probably not a data protection expert. That is absolutely fine, you don’t need to be. And it doesn’t mean that you have to pay somebody else to be the expert. Data protection is not meant to need lawyers and consultants to get it done. All you need is a good plan and to set aside some time each month to tick off the privacy tasks that need taking care of. 

3. Don’t let perfect get in the way of good

Lawyers love perfection. But as the old adage goes, ‘don’t let perfect get in the way of good’. Every organisation has its own particular privacy problem that it doesn’t know how to solve. It may be how to map complicated data flows; it may be its use of online advertising; it may be taming a product management team or a marketing team. Don’t let that troublesome problem get in the way of fixing all of the other things you can take care of more easily, such as training your staff, evaluating your security and making sure that your organisation is transparent about the ways in which it uses personal data. There is no shame in leaving some of the hard stuff until later.

4. Do set aside some budget

Don’t worry about the expense of getting privacy sorted – explain the risks and justify the value of what you need. We understand that the business is probably paying you a lot of money to sort all of the legal stuff. You may or may not have a team of very expensive people to help you.  But that doesn’t mean that you don’t deserve help. Getting privacy wrong is a risk to your business and one of your main jobs is to minimise risk. It goes without saying that the business will want to prioritise revenue and deliver great products and services, but if you get privacy wrong it will be on your head and you won’t have anyone else to blame. And getting it right costs a lot less than you think.

5. Do make it a habit for everyone

Getting privacy sorted is not a one off project, it is a programme. To keep your programme going, you’ve got to develop a habit and involve everyone in the organisation. Get a team of privacy champions together, agree on a plan and continue to chip away at that plan. Don’t bite off more than you can chew. Slow and steady wins the race every time.