Several months ago, I wrote that privacy compliance is like riding a bicycle. But now, after sheltering in place due to the Covid-19 pandemic, I thought back to the few weeks I spent last winter on beautiful Siesta Key in Sarasota, Florida, and started thinking that maybe privacy compliance can be a walk on the beach. Even if you can’t get to your favorite beach vacation now, take a walk with me for a few minutes, and imagine.

Enjoy the constant changes, but watch out for the waves that might knock you over!

Every day in Florida, I would set out for my morning walk on the beach. I would often add a mid-day or late afternoon walk with my husband. Until recently, when we are all staying close to home, you might have thought that I would be bored walking up and down the same 5 mile or so stretch of sand, day in and day out. But, each walk was different. Not only did the time of day, and the light and the tides vary, but the coast itself changed. Sometimes, there were numerous seashells; other times, there was a bit of seaweed. Some days, the beach was flat; other days there were raised piles of sand that looked like speed bumps.

With privacy compliance, one never knows what one will find. Confidential data may be lurking in unsuspected places. And just when you are sure that you know the rules, they change. For example:

• Can we take employees’ temperatures before allowing them to enter the office? How do we use and protect that information? What are the privacy implications of contact tracing?

• How can we comply with the California Consumer Protection Act (CCPA) when the Attorney General has not finalized the regulations?  

• Which other states are adopting new requirements? Will there be federal privacy legislation?

• What steps are necessary for international privacy compliance now that the United Kingdom has left the European Union?

• What is the long-term impact of the temporary regulatory positions regarding telehealth during the pandemic? What is the impact of a court decision striking down regulatory guidance on medical record copying fees?

Companies need to constantly review how they are collecting, processing, transmitting and storing data, watch for legal updates and rely on trusted advisors to keep up. Just like at the beach, one needs to go with the ebb and flow of the tides and watch out for those waves, especially if a storm is on the horizon.

One-size-fits-all does not apply.

Many people visit a beach because they like to walk. On my daily walks, I saw runners, baby strollers, bicycles, elderly folks with canes, walkers or wheelchairs, all moving at different paces up and down the 7-mile long expanse of sand.  Everyone had their own choice of attire, team t-shirts and hats, and political views. And, in fact, others had no interest in walking, preferring to toss a ball, build a sandcastle, read, or relax with friends. And yet, we all had one common goal, to enjoy the beautiful view. Each of us had to figure out how best to enjoy our day and stay out of each other’s way.

With privacy compliance, attention should be focused on the type of company (public or private; large or small), its industry, applicable regulations, the type of data collected and the uses for the data. Company culture also plays an important role in determining the best strategies to protect information, and in educating staff and communicating with customers.  Companies must consider numerous issues including:

• Should we train employees in person or online?

• Should we conduct phishing simulations now with so many employees working from home?

• Should we allow employees to use their own devices or will we issue company equipment?

• Will we apply California Consumer Privacy Act rights to across the board or limit it to California residents?

The possibilities are almost as numerous as the grains of sand on the beach. (Not quite.) For example, while it may be tempting to use an off-the-shelf solution to address privacy compliance and training, in my view, such training should be supplemented with education about company policies and expectations. Not only do different requirements apply based on jurisdiction and industry, but businesses are living, breathing entities with individual needs. And, employees are much more likely to pay attention to training that is relevant and tailored to their responsibilities.

Sometimes weather interferes, hackers attack, and people get careless.

As we all know, things happen. Not every beach day is picture perfect. The fog may roll in or the winds may kick up, and of course there is always the threat of rain.

There are many interesting species on the beach, including human beach-goers. It’s almost as if all thoughts of privacy are blown away in the wind as soon as one steps on the sand. People dress as if they are home in their bedrooms, blast radios, and don’t care who may hear their conversations. One day, I saw a group of overturned beach chairs that had not been returned to their proper location and wondered whether their users had considered that the chairs might be washed out to sea.  

In addition, I saw a wide variety of birds (pelicans, blue herons, snowy egrets, laughing gulls, royal terns, osprey, sandhill cranes, white ibis, wood storks, plovers and others) and seashells (welks, cockles, conch, angel wings, sand dollars scallops, cats eyes, etc.). I even spotted a hacker-like pelican swoop in and take food away from a small gull. I guess the pelican had figured out a new way to go phishing!

While societal norms help to keep things in check, to some degree, sometimes rules are necessary as well. On a beach, one might see the occasional sign and hear a lifeguard’s whistle. In the corporate world, establishing a privacy-focused culture sets the expectations for good behavior. Policies and procedures describe the rules and provide consequences for negligent or willful acts. As at the beach, it is risky to stick you head in the sand and wait for the storms to come ashore. A privacy professional can help you avoid the waves and cut through the regulatory fog.

So, Is privacy compliance a walk on the beach?

Alas, like all trips to the beach, there comes a time when one must pack up and go home. Unfortunately, I have come to realize that privacy compliance is not actually a walk on the beach. It is a bit more complicated, and often-times technical. And unlike a walk on the beach, privacy compliance is necessary and is a part of good corporate governance regardless of the weather or current events. But wasn’t it fun to think about!

I would be happy to help with your privacy compliance needs. And, just like jumping into the water, it may not be as hard as you feared.