Seven Key Takeaways from Seminar on Privacy and Emerging Technologies

On November 13, 2019, Ropes & Gray and the Association of Corporate Counsel (ACC) co-hosted an interactive seminar on privacy, cybersecurity, and emerging technologies in a rapidly evolving legal landscape.

The seminar, which took place at Ropes & Gray’s Boston office, brought together over 100 legal executives and business leaders from technology and life sciences companies in the Boston area.  Privacy and cybersecurity partner Ed McNicholas and intellectual property partner Regina Penti led the discussions, with support from associate Fran Faircloth. Topics included the newly-enacted California Consumer Privacy Act (CCPA), best practices for managing shifting domestic and international data protection regulations, and frameworks for harnessing the power of emerging technologies while managing their risks.

The seminar concluded with a fireside conversation with Brian Elworthy, General Counsel of Toast, the multibillion-dollar unicorn leading the cloud-based restaurant technology industry. Among other topics, Mr. Elworthy described Toast’s compliance-by-design approach to privacy and new technologies. He emphasized, in particular, how and why in-house legal departments must build a culture of compliance by obtaining business buy-in from the top.

We present below seven key takeaways from the event:

1. Expect some shades of gray: The explosion of emerging technologies presents legal gray areas where existing laws haven’t kept pace with new technologies. The ability to effectively navigate these gray areas is crucial to realizing a company’s strategic objectives.
2. Friend a framework from the start: An internalized, systematic approach is key to successful and compliant deployment of new technologies. Consider developing a framework for assessing risks associated with data and emerging technologies, along with solutions for addressing them. As one participant noted, the framework need not deviate substantially from other frameworks adopted for addressing compliance risks. Start with the “whats” (what are our goals, what are the risks) and move on to the “hows” (how do we achieve our goals, how can we mitigate the risks). Educate and train stakeholders on the solutions you identify.
3. Try on compliance-by-design: The rapidly evolving privacy and data protection landscape requires nimble data architectures, IT systems, and internal processes that are compliant-by-design. Evolving from a reactive to a proactive compliance culture requires buy-in from the business, but may avoid pitfalls that will be more difficult to mitigate at later stages.
4. Proactively engage regulators…sometimes: In-house lawyers may be uniquely positioned to educate regulators on technological advancements relevant to their industry or company, and should consider when it makes sense to do so. However, even within the same company, appetite and approach for proactively engaging regulators may vary. The approach must match the company’s risk appetite and be tailored to specific regulators and the prevailing regulatory climate. 
5. Know your data…and where your data lives: The CCPA requires companies to know a great deal about the customer data they retain. A data map makes it easier, not just for the company to comply with the CCPA, but for the business to effectively extract value from that retained data. This is an area where business and legal objectives may be aligned, and this common ground should be leveraged to build trust and cooperation to further other compliance goals.
6. Document the reasonableness of security practices: A culture of documentation may go beyond helping in-house counsel communicate with, educate, and obtain buy-in from stakeholders.  Under the CCPA, it may also reduce the company’s liability in the event of a data security incident. Follow international security standards to help build a demonstrable record of “reasonable” information security.
7. CCPA for all? Companies should seriously consider whether to apply the CCPA standard to their entire customer basis, rather than limiting it to those covered by the law. The question encompasses not just the cost and complexity of compliance, but also issues of customer trust.