This series for The Privacy Advisor by the team at Sentinel, a privacy consultancy and the company behind the privacy program management technology Ethos, examines the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. In this third article, we look at privacy through the lens of contractual obligations and show how a culture of privacy will enable organizations to more easily meet those obligations. Find the first two articles in the series here.
Beyond the parties
There are always at least two parties to any data processing contract, and, as privacy professionals, our aim should be to make the contracting process meet the strategic needs of all interested parties — including the signatories and, increasingly, downstream processors, as well as the data subjects themselves. Where contracts deal with personal information, it is important to consider the data subject’s perspective. Increased transparency requirements through laws like the EU General Data Protection Regulation and California Consumer Privacy Act give individuals more visibility than ever before of how their data is being shared with multiple companies and for what purposes. Ignoring the expectations of consumers is increasingly likely to result in issues long after contracts have been negotiated and filed away.
Acknowledging that the terms “controller” and “processor” are expressed differently depending on jurisdiction, we will use them to identify these key participants more broadly. Controllers have a direct relationship and responsibility to the individuals whose data they have gathered. Part of that responsibility is carefully evaluating and selecting partners (i.e., processors) to support their data processing activities. From a controller’s perspective, the goal of onboarding a processor is to deliver a business outcome while managing risk. Contracts are an important vehicle to achieve this, but the contracting process itself can often be lengthy and risk mitigation can sometimes take a back seat to more tactical considerations.
While processors in most cases do not owe the same responsibilities to individuals whose data they process, they have a lot of skin in the game, too. Every cloud company, for example, is likely a much larger entity than most of its customers and is party to many more data processing contracts. Processors need to be able to tell a privacy story that will meet the needs of the majority of their current and potential customers’ contractual asks, whether these are based on regulations or common controls that broadly cover “reasonable” security or privacy concerns. Optimizing this engagement process can make a big difference in the "cost of compliance."
With these driving factors in mind, let's turn to the contracting process itself.
Boilerplate battles miss the point
Many privacy professionals, especially those with privacy programs in the early phases of maturity, focus their contractual review almost exclusively on regulatory and indemnification requirements. “Gotcha! The data protection addendum is missing XYZ requirement. We can’t proceed without it.” However, this adversarial approach misses the greater opportunity to discuss primary business drivers while evangelizing the benefits of privacy practices for both parties.
Critical business objectives, such as maintaining a transparent and responsive data processing relationship or the ability to demonstrate strict customer data segregation, are commonly more important to the parties than standard compliance terms, particularly for businesses operating as data processors for other entities. Focusing on each party’s strategic business objectives instead of “must-have” boilerplate provisions provides an opportunity to strengthen the partnership and build resiliency to address the shifting privacy landscape. How then do you promote good privacy measures while recognizing critical business objectives? By turning the emphasis from compliance to building a culture of privacy.
Shift your focus for a new perspective on privacy
To demonstrate this point, assume for a moment that holding a data subject’s PI is a privilege and a position of trust. With this perspective, the responsibility to ensure transparent and secure processing is self-evident.
For the legally inclined, consider the analogy of a bailment. A bailment is the act of placing property in the custody and control of another, in which the holder (bailee) is responsible for the safekeeping of the property. A common example of bailment is checking out a library book. In bailment law, when property is given to the bailee for the sole benefit of the bailee (i.e., the owner of the property receives no benefit from the bailee’s use of their property), the law imposes a duty of extraordinary care to keep the property safe and return it to its owner. As checking out a library book is a bailment for the sole benefit of the reader, if the reader fails to return or damages the book the obligation to pay is clear.
Using this framework in the data processing context, if there is no clear benefit to the data subject, a data controller and, by extension, their subsequent processors, must handle the PI with extraordinary care and, depending on jurisdiction, may even be subject to liability without any showing of actual fault.
Whether you agree with the fiduciary or bailment model of data custodian or not, it’s clear that legislators and regulators are considering aspects of this framework. Concepts such as a data subject's ownership of their PI and requiring companies to publicly declare how they value consumer data sets the stage for legislative adoption of high levels of care in processing. Given evolving privacy standards, taking a data custodian viewpoint when forming and carrying on data processing relationships is future-proofing your data processing agreements by doing the right things, not merely the minimum legal standard.
Business resiliency from a partnership approach to privacy
One essential step is to align your internal stakeholders on privacy. You will be hard-pressed to sustain collaborative privacy partnerships if key stakeholders within your own organization do not share a common vision for how PI should be processed and managed. Address divergent viewpoints by creating opportunities within your organization to align privacy measures with stated business values.
If you don’t already have one, solicit leadership to charter a privacy working group of internal stakeholders including privacy, legal, compliance, vendor risk management, information services and key business units. This working group should be tasked with reviewing and making recommendations to leadership on organizational privacy issues. An inclusive and empowered working group promotes privacy competence, avoids the common pitfalls of siloed business operations, and aligns both data processing and external communications. This can help to avoid common challenges, such as enthusiastic salespeople trying to meet their quota before quarter end by agreeing to any data protection requirements, even if they are significantly out of line with an organization’s posture.
With a unified organizational position on privacy, partner agreements can be more open and collaborative. Coming to the table truly informed on your organization’s priorities and practices dramatically increases the effectiveness of contracts and assures the terms will be honored once in place. Instead of competing for the most favorable terms or sometimes even to secure terms necessary to keep your own organization in line, the contracting process presents an opportunity to discuss each party’s business objectives and dependencies and build partner trust. This shift in focus from “winning” allows for more consideration of data subject rights and how the parties can best cooperate in a dynamic regulatory and consumer sentiment environment.
Culture of privacy for the win-win-win
The benefits of promoting a culture of privacy within your organization are many-fold. One is the bandwidth recovered to consider both partner and customer needs when drafting data processing agreements. This shift in focus provides greater organizational benefits than defensive contracting and promotes relationship trust and resiliency in the face of changing business pressures and evolving regulatory burdens. Additionally, building a foundation of common understanding and reliable performance makes subsequent amendments or renegotiations that much easier. This privacy win-win-win approach to contracting is an essential part of establishing a culture of privacy within your organization.
Photo by La-Rel Easter on Unsplash
If you want to comment on this post, you need to login.