Avishai Ostrin, Head of Privacy and Data Protection at Asserson Law Offices, discussed key considerations when curating a data protection program for a company, alongside Osher Partok-Reinisch, Compliance Counsel at Amdocs, and Dalit Ben-Israel, Partner, Chair of IT and Data Protection Practice at Naschitz Brandes Amir & Co. The online conference was hosted by OneTrust, one of the biggest players in the Privacy-Tech space.
Data protection, privacy, compliance. These concepts have increasingly redesigned the daily operations of businesses around the world following the implementation of the EU’s GDPR laws. The gravitas of the regulation, having just celebrated its second birthday, has been far reaching: dubbed the “Brussels effect”, GDPR has since determined a new, baseline standard for information security around the globe. However, with exceptions and variations to privacy laws across different jurisdictions, executing an effective privacy program in an organisation can be a daunting task. The panel covered a range of topics, including general advice to privacy practitioners and tips on getting buy-in from the C-suite for a privacy overhaul.
The panel focused on major milestones in building a data protection program. Ostrin emphasized the importance of creating a “data map”, an onerous, yet extremely vital inventory-taking task which helps privacy experts to understand what data the company possesses, it’s origin and with whom it is shared. Data mapping can then help create procedures and processes to integrate privacy into the organisation’s DNA, by ensuring that every function and person in the company touches on privacy in one way or another. From a regulatory perspective, the paper trail which data mapping creates can act as collateral, should the company’s compliance efforts be questioned in the future.
Partok-Reinisch added that data maps help identify a company’s cross-border data-transfers, where multi-jurisdictional issues will need to be carefully considered. Once a company has identified areas where regulations are parallel, privacy programs can be more easily tailored and administered to meet the needs of various compliance issues. Building on this, Ben-Israel discussed the key differences between Israeli and EU privacy regulation. Despite a 70-80% overlap between the two jurisdictions, a key difference in Israeli compliance is the registration of legal database with authorities. Cross-border data restrictions in Israel are also surprisingly outdated, unadapt to the data flows and cloud computing of today. This often poses significant difficulties for Israeli businesses who try to contract with US vendors in particular. Ostrin predicted that the issue of data monetisation, and the disparate approach that the US is likely to take to that of the EU, will cause clashes in regulation. Business owners should seek legal advice on this issue.
For Ben-Israel, successfully managing vendor agreements is a key step in a privacy programme. She explained that many vendors have the bargaining power when it comes to signing new data protection agreements, since they are crucial to the business. Terminating a contract with a vendor and replacing them with a new one because of a refusal to sign a data protection agreement can be daunting, and those who successfully navigate this situation will have taken a giant leap forward in their data protection program. This is especially the case in Israel, where the most commonly raised red flags in every sector by The Privacy Protection Authority have involved vendor management.
Building an effective data protection program for a company is an arduous, yet extremely worthwhile task. Information security is becoming an increasingly hot topic: 63 out of the 271 GDPR fines issued since it’s naissance were for inadequate security measures, representing €332 million in fines. With laws set to continuously evolve in this growing field, privacy professionals will have to periodically re-evaluate their programmes to ensure the highest standard of compliance.
Article written by: Syvanne Aloni