Data Privacy
Personal information of customers, employees, and vendors is one of the most valuable assets held by a company and also, increasingly, one of the most vulnerable to unlawful disclosure. Personal information essentially includes anything that can be used to identify a particular person. This includes obvious items like names, photos, and social security or other identification numbers. Sometimes it also includes less obvious data points such as computer IP addresses, geolocation information, genetic identifiers, and voice prints. With the ever expanding proliferation of privacy laws around the world, all aimed at protecting an individual’s ability to control the use and spread of their personal information, companies must perform an analysis of the information they collect and their privacy practices to ensure that they comply with these privacy laws.
Depending on a company’s business footprint and data collection activities, it may be subject to several privacy laws, including, for example, several U.S. state and federal laws, including the recently effective California Consumer Privacy Act of 2018 (CCPA) and Nevada’s Amended Online Privacy Law (SB 220). If a company’s business targets include European residents, it may also be subject to the EU’s General Data Protection Regulation (GDPR) and the mirrored laws in the post-Brexit UK. Each of these laws comes with its own set of complex requirements around the collection and use of personal data, a company’s ability to share it with others, restrictions on transfers across international borders, and obligations arising from data breaches. While a privacy policy that informs your customers, employees, and vendors of the information you collect and the steps you take to protect it is a good start, compliance with these global privacy laws comes from on-going, company-wide projects designed to strategically protect and limit use of the personal information. As new laws are proposed, advanced planning is important to enable companies to further adapt their privacy practices to comply with additional or divergent requirements.
Protorae Law’s Data Privacy Practice is a proactive, holistic, strategic counseling practice focused on guiding clients through the review of their corporate activities, data flow, and systems, and modification of their practices to support compliance with the relevant laws. We work collaboratively with clients to deeply understand the information collected, where it lives within the company, how it is used, and with whom it is shared. We then help companies develop the internal policies, practices, and compliance programs necessary to come into compliance with privacy laws that affect their business. We also help you develop the contracts needed to ensure that our clients’ relationships with vendors and service providers meet the compliance obligations of the applicable privacy laws, including through data transfer agreements, data processing addenda, and amendments to master relationship agreements to ensure appropriate handling of personal information. Through it all, we focus on creative and cost-effective solutions that match our clients’ goals, risk tolerance, and budgets.