Guest post: Every legal professional needs to know about privacy law compliance – Here’s where to start

Michael Whitbread, senior legal counsel for the Vesparum Group and Draftable, shares why all legal professionals should stay across developments in privacy law. He offers practical action points to help organisations stay compliant and avoid breaches, penalties, and reputational damage.

Privacy law compliance is fast becoming one of those key areas where every legal professional will need at least some knowledge. Virtually every area of law involves the processing of identifying information and all organisations have a role to play in protecting this information. In some jurisdictions, lawyers’ professional bodies already require mandatory data privacy law training each year.

It’s not a moment too soon, as cybercriminals worldwide are becoming increasingly sophisticated with data attacks. They’re constantly seeking new weak spots in countries and organisations and are only too happy to exploit them for illicit gain.

In 2023, we saw reports that the UK’s postal service the Royal Mail was unable to send international parcels from its 11,500 branches after it refused to pay hackers their demand for £67 million in ransom. The UK Electoral Commission was reported to have been the victim of a cyber-attack that went undetected for over a year and exposed the data of 40 million voters. In the US, China-based hackers reportedly stole tens of thousands of emails from the State and Commerce departments, and the City of Oakland, California, was reported to have declared a state of emergency after hackers stole personal data in a ransomware attack.

While organisations may, from their perspective, be ‘victims’ of data breaches, they have a stewardship role over data in their custody, so are legally responsible for taking appropriate protective measures. Any company with exposure to laws like the General Data Protection Regulation (GDPR) faces potential maximum fines for breaches at levels high enough to end a business altogether.

All organisations should have a complete overview of the data they hold to comply with privacy laws: They should ask themselves, why are they holding the data? Who has rights over the data and can they honour those rights? How would they handle a breach? Who is their lead information commissioner and what are their expectations?

Financial damage: The immediate impact of privacy breaches

If we fail to ask ourselves these questions and take action, the potential maximum penalties can be severe.

In the EU and UK (and anywhere covered by the GDPR on an extra-territorial basis) the maximum penalty for a contravention is the higher of €20 million or 4% of global annual turnover. The Luxembourg information commissioner used the GDPR to issue a €746 million fine on Amazon in 2021. Smaller organisations and law firms are also in the proverbial firing line, with the UK Information Commissioner’s Office fining Tuckers Solicitors £98,000 for GDPR breaches in 2022.

Even the ‘light-touch’ US framework can be punitive: the Federal Trade Commission levied a US$5 billion fine against Facebook in 2019. In a perhaps more ‘relatable’ example to smaller organisations, New York City-based firm, Heidell, Pittoni, Murphy & Bach received a US$200,000 fine by New York’s attorney general for inadequate information security measures.

In Australia, a new penalty regime under the Australian Privacy Act was enacted in 2022. The maximum penalty for serious and repeated breaches of privacy for a corporation is now the greater of three times the value of the benefit of the misconduct, A$50 million or 30% of turnover for the period of the contravention. Individuals and non-corporate entities face maximum fines of A$2.5 million. We should expect that this new penalty regime can and will be used.

Beyond fines, individuals are suing for breaches of the ‘fair-use’ doctrine in the US and the tort of ‘misuse of private information’ in the UK.

Reputational losses: The longer-lasting impact of privacy breaches

While the fines are painful – including legal fees, loss of management time, and opportunities forgone due to time and money spent on the matter – the deeper loss is arguably that of reputation.

It can take years to restore a reputation once an organisation has been tarnished as less than trustworthy with personal data. A study of 45 companies between 2002 and 2018 in the Journal of Cybersecurity found that companies experiencing the ‘largest and most salient’ breaches led to a 5-9% decrease in brand power and familiarity.

We can all think of household names that are associated with poor information practices and have suffered loss of trust from their stakeholders, including major telecommunications and health insurance providers, technology companies, and social media platforms. Some companies never recover, like KNP Logistics Group, once one of the largest privately owned logistics firms in the UK, which went into administration in September 2023 after a ransomware attack.

Framed economically, privacy law prosecutions make it more expensive to supply products and services and impact a company’s reputation, reducing demand. These facts alone should be enough to convince a Board that investment in privacy risk management is worthwhile.

Where to go to learn about privacy law compliance

Now is the time for legal professionals to gain skills and confidence in this increasingly pervasive area. Navigating the vast expanse of privacy law resources can feel daunting, but several platforms stand out for their utility.

Supervisory authorities such as the UK Information Commissioner’s Office or the Australian Office of the Information Commissioner provide foundational materials and insights into enforcement priorities, while free legal digest services like ‘Lexology’ offer a broad spectrum of legal analysis from various law firms. Newsletters from industry-leading privacy experts and specialised publications contain invaluable perspectives, blending legal theory with practical advice. Good examples include privacy and AI law newsletters by Luiza Jarovsky and Daniel Solove.

For those seeking comprehensive regulatory updates, resources like ‘OneTrust Data Guidance’ and law firm newsletters are useful for staying abreast of the latest developments. Privacy law podcasts such as the ‘Privacy Advisor’ and professional communities including TechGC and the Association of Corporate Counsel offer platforms for continuous learning and networking.

Developing a strategy for privacy law compliance

Using these resources, we can build our privacy law ‘muscle memory’. The next step is to develop a strategy for compliance based on best practices.

At a minimum, this will involve achieving buy-in and some resources to undertake basic measures, including reviewing template legal documents, undertaking a data inventory, designing a process for dealing with data subjects’ rights requests, creating a breaches register, and delivering training.

For more complex data processing, organisations will need more elaborate and sophisticated approaches, including the establishment of an official data governance committee with Board reporting responsibilities, a documented data governance framework, regular audits, and mandatory training with examinations.

With organisations facing increasing scrutiny over privacy law compliance, the moment presents an opportunity for legal professionals to expand skills and knowledge in a vital developing area.

Michael Whitbread is a US/England and Wales/Australia-licensed privacy and employment lawyer who is experienced advising in a wide range of industries and regions. He is also the senior legal counsel for Vesparum Group, which includes Draftable Legal, a document comparison solution built for lawyers.