July 4, 2022

Volume XII, Number 185

Advertisement
Advertisement

Navigating Domestic and Cross Border Data Privacy Risks, with Lucy Tyson and Brittney Justice [PODCAST]

On this episode of Bracewell Sidebar, Lucy Porter and Brittney Justice join hosts Seth DuCharme and Matthew Nielsen to talk about data privacy.

Lucy advises clients in a variety of matters related to the structuring and negotiating of services agreements for business process and information technology outsourcing and managed services. Lucy works with clients to develop and implement data privacy solutions that are compliant with global regulations. She has experience working across organizations, including compliance, HR, security, IT and legal. Lucy also has experience in advising clients with the protection, maintenance, licensing and transfer of intellectual property assets, as well as in the prosecution and management of trademark portfolios.

Brittney helps represents clients on cybersecurity and data privacy matters, including privacy litigation, compliance with state and global data privacy laws, and drafting privacy policies and contracts. She also advises on all aspects of data breach incident investigation and response, including directing privileged forensic investigations, coordinating and supporting internal incident response teams, engaging with law enforcement authorities and other federal agencies, and advising senior management on response and risk mitigation strategies.

What is data privacy?

When we say data privacy, we are of course talking about data privacy laws — the set of laws and regulations governing the collection and use of your personal information and the rights that you as an individual may have with respect to that information. They can be generally applicable, which we typically refer to as comprehensive data loss, or they can be specific to an industry. They can vary. They can be broad. They can include consumer data or employee data, or they can be narrow and include just consumers.

Everybody wants their data, their personal information to be private but, from a legal aspect, why does all this matter?

For companies, this matters because of the growing financial and legal risks associated with poor data privacy practices within companies. Threats are growing increasingly sophisticated and pervasive, especially in the world we're living in now and consumers and regulators are calling for more aggressive action from our regulators and from courts as well. We're seeing that being unprepared comes with a hefty price tag. The way companies handle data privacy and their cybersecurity internally can really become a point of differentiation. Even a source of competitive business advantage if they do this stuff right.

If a corporation is thinking about both cybersecurity and data privacy, does this need to be a Venn diagram? Or can you look at those two issues in isolation?

A component of every data privacy law is going to be your cybersecurity profile. What are you doing to protect your data? Almost every data privacy law hedges. They just say using standard best practices, essentially technical and organizational measures. In the event you have a PII breach, the first thing they’re going to look at is, were you protecting the data? So, protecting all of your data should be the goal.

What is GDPR? How is it different from what we have in the United States?

The GDPR, or the General Data Protection Regulation, is the EU’s comprehensive data privacy law. It became effective in 2018. It regulates everyone doing business in the EU. It is not industry or jurisdiction specific. It covers everybody — employees, consumers, business to business relationships. It has special provisions for minors, and most importantly it allows for individual member states to make narrower restrictions and to form their own opinions about the activities of either folks in their jurisdictions or the interpretation of the provisions. Why it’s really important is because of its extraterritorial applicability. That is why it’s driving international privacy. Even if you don’t have an office in the EU, you may be subject to the GDPR if you are marketing to selling to residents in the EU.

What should companies be doing from a basic standpoint of starting to build a compliance program?

The first step is you need a multidisciplinary team. You need your legal and your compliance folks involved. You need to have HR involved. You need IT. You’ve got to have your IT stakeholders involved and thirdly your marketing. A lot of marketing campaigns are going to use personal data because email addresses are going to be personal data. Once you’ve got your multidisciplinary team engaged, then you can more easily implement a concept called privacy by design, which is going to approach new products, new services, new activities, by looking at it from a privacy perspective and that should, if you're doing that from the very beginning, help you to consider data mapping, consider updates to your privacy policy, things like that.

 

© 2022 Bracewell LLPNational Law Review, Volume XII, Number 97
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Matthew G. Nielsen energy and finance lawyer Bracewell
Partner

Matthew Nielsen has over 17 years of experience defending corporations, corporate executives and employees, and securities industry professionals in civil and criminal investigations, as well as securities investigations and litigation. He represents US and international clients on matters related to federal and state securities laws, US export controls and sanctions laws and regulations, Foreign Corrupt Practices Act, whistleblower complaints, accounting fraud and healthcare fraud.

He regularly practices before state and federal regulatory and law enforcement...

214 758 1039
Seth DuCharme Insurance Lawyer Bracewell LLP
Partner

Seth DuCharme draws on his 14 years of experience as a senior-level law enforcement officer to advise companies and individuals on cases involving cybersecurity and breach response, Foreign Corrupt Practices Act (FCPA) diligence and litigation, export controls, sanctions compliance and anti-money laundering.

Seth served in the United States Attorney’s Office for the Eastern District of New York from 2008 through 2021. He held various positions at the Eastern District, including Chief of the Criminal Division, Chief of the National Security & Cybercrime Section, and Acting United...

212-508-6165
Lucy Porter Attorney Business Information Technology Bracewell Houston
Counsel

Lucy Porter’s practice focuses on advising clients in a variety of matters related to the structuring and negotiating of services agreements for business process and information technology outsourcing and managed services. Lucy works with clients to develop and implement data privacy solutions that are compliant with global regulations. She has experience working across organizations, including compliance, HR, security, IT, and legal, to ensure that data privacy solutions are tailored to the client’s needs. Lucy also has experience in advising clients with the protection...

713-221-3328
Brittney Justice Litigation Attorney Bracewell
Associate

Brittney Justice represents clients across a range of industries in litigation and government enforcement and investigations in federal and state courts. She provides advice on diverse matters, including securities litigation, complex commercial disputes, environmental claims and government investigations. 

Prior to joining Bracewell, Brittney was a legal intern with Texas’ First Court of Appeals.

202.828.1744
Advertisement
Advertisement
Advertisement