Priorities and Practical Compromises for Businesses Today

Written By Hosch & Morris

Privacy Plus+

Privacy, Technology and Perspective

Priorities and Practical Compromises. This week, we’re thinking about priorities and practical compromises among all the divides and demands that businesses face today. 

The “Great Divides.”  We see four (4) “great divides” in the privacy/technology world today (although, there are many more, if you look at any one of them closely.) 

-       Among Businesses Powerfully branded, consumer-facing businesses are very different from B2B businesses.  National or trans-national businesses are very different from local or regional ones. 

-       Among States – Privacy views appear to be coalescing along a dismayingly blue-red divide.  California has its CCPA (with multiple regulations) and soon its CPRA, New York its DFS regulations, and NV, MA, CO, and soon other states their own privacy statutes; Illinois leads the way in biometric controls. Contrast these with our native Texas, whose cautious response to the CCPA was to commission a two-year study on what the Lone Star State should do. (According to the Dallas Morning News, the commission never actually met -- virtually or otherwise -- and produced a 14-page paper which DMN scathingly likened to a high-school paper written the night before it was due.)   

-       Among Western countries -- Compare the unitary GDPR to the polymorphic USA model and the varieties elsewhere.

-       Between East and West -- Seen broadly, the West is struggling with the Identity of the Person in the Digital Age. China is racing 24/7/365 to deploy gigantic databases – including comprehensive information about every person in China – in order to fully empower Artificial Intelligence (AI). 

The “Great Demands.”  Privacy complexities have come thick and fast in the last few years, each forcing huge change (viz. GDPR, CCPA, other state statutes, BIPA, CCPA regulations, Schrems II and its new SCCs and “supplemental measures,” CPRA…). All have come amidst (i) a dim (if any) understanding among US business of the difference between privacy and cybersecurity, and (ii) no national consensus on the meaning of privacy, how to approach it, who should control, or even what as a country we’re trying to do.    

Yet these privacy complexities seek increasingly detailed, often expensive, usually disruptive attention from businesses whose budgets and bandwidth are already under severe stress:

-       Unsustainably high unemployment;

-       Whole B2C industries ruined by COVID (travel, hospitality, restaurants, entertainment);

-       Second-order effects on whole other industries (commercial real estate, retail);

-       Rising costs in the face of pressure not even to think about raising prices;

-       Increasing technical complexity/costs;

-       Industry consolidation toward the biggest providers, affecting competition itself;

-       Personnel challenges, as people have their own problems to worry about;

-       Counter-productive advice: businesses are increasingly advised to cut personnel costs (headcount, benefits), rattling everyone, at a time when they need their people’s dedication and loyalty more than ever; and

-       Automation and AI are poised for severe disruption.

What to Do: Prioritize and Compromise.  Privacy isn’t the only issue screaming for attention. In the annual fight for budget and bandwidth -- each of which will stretch only so far -- it is hard to break through when literally everything seems important, and especially hard to counter the devastating response, “But if we don’t do [X] we’ll be out of business, and then none of what you’re saying will matter.” 

This is where coherent priorities and practical compromises are required. 

So here is what we suggest (in order):

1.    Articulate who you are as a company, and who you want to be. Just as the first step in privacy analysis is knowing what data you have and where it is, the first step in developing priorities is articulating who you are now, and who you want to be several years from now. Where are you, along the Great Divides?  Who do you want to be, in say 2025?  Do you now (or do you expect to grow and) cross over one or more of the Divides, and become subject to increased privacy focus?  (Remember not to discount this by saying “we’ll get acquired and it will all be the buyer’s issue,” because the quality of your privacy focus will be a major factor in your company’s price.)  Remember that the board’s role is to ensure that management has appropriately elevated privacy and cybersecurity within the organization.  And you can click on the following link to see what certain boards are specifically required to do:

https://www.hoschmorris.com/privacy-plus-news/occ-requires-board-oversight-of-cyber-risk

But your company’s future certainly is tied to its digital assets, along with cyberthreats it faces.  And propitiously opening that future requires the implementation of a governance framework and operational solutions aimed at addressing the particular risks your company faces in its industry sector(s). 

2.    Identify and address your biggest issues, now.  These include:

a.    your largest, current threats and vulnerabilities (almost always cybersecurity, plus whatever your current regulatory and liability landscape requires, acknowledging that it is constantly evolving and can be subject to significant change); and

b.    the promises/commitments you have made/are making (to your customers, vendors, and employees). 

c.     Those will inform your priorities.  And when you identify them, you’ll probably find that many specifics overlap with things your business is already doing (or should be doing for other reasons), and hence you won’t need as much of the business’ limited bandwidth and budget as the decisionmakers fear. (In budget discussions, it may be helpful to know –- and be able to explain in one sentence -- the difference between “privacy” and “cybersecurity.”)

3.    Start preparing strategically for where your company is going.  Like start-ups dreaming of an IPO who spend extra for audited financial statements years before they “need” them, look ahead at where you want to be. For instance, compare your company’s present data uses to your present privacy notice to make sure they align.  Repeat this process every six months, or anytime your company develops a new data use or changes its collection practices. As in #2 above, think now about the privacy and cybersecurity steps your company’s strategic plans will require it to take in the reasonably near future, and how best to start in those directions now with the bandwidth and budget you have or can get. 

Not everything can be done at once.  The good news is that with a little reflection, and a good look at the big picture, it doesn’t all have to be. 

---

Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.

 

 

Hosch & Morris https://hoschmorris.com
Previous

Don’t Forget Privacy in M&A Due Diligence
Next

Artificial Intelligence Needs Human Values