In our second part of an introduction to the legality surrounding data privacy, the “Are You DataSmart” podcast discusses the need for DPOs (or not) and how the FTC is likely to respond to some of the significant changes brought on globally by the GDPR.
Data Minimization is a concept alien to many organizations. The business theory around “keep all data!” has been very popular in the last few years and the Ward brothers introduce the natural tension between keeping data and staying compliant.
Jay: Welcome to “Are You Data Smart,” the weekly podcast that touches on data security, privacy, data strategies, and all things related to the information that you and your company have, how to protect it, and how to maximize its value. I’m Jay Ward.
Christian: And I’m Christian Ward. And, today, I think a great way to start this series is to discuss some of, really an introduction to the legality around data security. I think from the business perspective, in data, we have long held the concept of save everything, store everything, sort of, you never know when you… It’s like the worst episode of “Hoarders” out there in a lot of data rooms around the country. And so, I think there’s a lot to be learned here about how that’s going to also change overall data strategy and partnerships.
Another thing I have a question on is, you mentioned, you know, a very strong approach or almost like a policy regime around how you manage these things. And it sounds like that’s a critical component. I know one of the areas that has been discussed before is sort of DPO. Can you walk me through some of the elements of having a DPO on staff?
Jay: Sure, so the GDPR says that, in some instances, you must have what’s called a Data Protection Officer. And the Data Protection Officer is essentially the person responsible for ensuring GDPR compliance in overseeing the, so to speak, data hygiene at the company. And, interestingly enough, they are meant to, by the regulation, have a sufficient amount of freedom and independence from the Board so as to not just be a lackey, which is very interesting because this is essentially Brussels saying, “You need to have, in effect, a C-Suite individual who doesn’t really respond to you the way that any other C-Suite individual would do.” It’s revolutionary, certainly from an American perspective where our view on Board governance is, you know, we have the business judgment rule here. We say, “You do what you need to do.”
So, my view is that the DPO is one of the biggest innovations in the GDPR and what it is, is it’s a requirement for you to consider, “Do I need someone to manage our affairs in terms of data security?” And if you do, even if you’re not in one of the categories, like you know, you process sensitive information of European Citizens or you’re a public authority, you may still need to hire a DPO. And, you know, this is just the beginning of our conversation of the GDPR, but it’s come up I think, Christian, rightly, because it’s the first practical question that many businesses need to ask, whether they’re in the U.S. or in Europe.
Christian: Yeah, it’s interesting. One of the most common questions now occurring in most of the businesses and companies I work with are almost centered around the concept of, “Do you need a Chief Data Officer?” So, that was a relatively new title, not the Chief Digital Officer, not the Chief Innovation Officer, but someone that is particularly focused on monetizing data assets across an enterprise. Fascinating that CPO is almost a counterparty to that. But both executive levels, and I also would state the concept of someone that doesn’t actually, you know, report to you. They’re actually, first and foremost to solving adherence to the law, is just sort of a fascinating need that, we’ll see. We’ll see how many companies handle that. I want to sort of transition a little bit over, and I know we’ll cover GDPR in lots of other podcasts because it is so far-reaching. But, I want to talk a little bit about the FTC and sort of understand what the general position of the FTC in all this is, because, obviously, if companies global in their operation don’t adhere to GDPR, it’s gonna have overlap into how they are fined or how they work here. So, where does the FTC fit into this?
Jay: So, the FTC is the primary regulator of data security in the United States. You know, we don’t have a one-size-fits-all overarching privacy and data security law in this country. It’s just never been done. Interestingly enough, some of the commissioners on the FTC have been calling for it. Many, for years now, almost 20 years, FTC has been an advocate for it, in part, no doubt, because they would be empowered to enforce it. But they…
Christian: Wait, you mean they’re pushing to have more regulations, so they can…? That’s amazing. It’ll never happen.
Jay: It’s a little agency capture joke waiting to happen. But, no, I… The FTC is responsible for enforcing data security in this country in a fascinating way. It’s not done through a law like the U.S. Privacy Law of 2015. Instead, it’s a 100-year-old statute, before there were any computers. It was the Federal Trade Commission Act, and Section Five of the Federal Trade Commission Act says that the FTC can regulate unfair or deceptive trade practices. And, in the past, what that’s meant is archetypically, false advertising or lies, you know. If you had a product that advertised to be fat-free, and it turned out it was the same as eating a pint of Haagen-Dazs, they could sue you, because it caused injury to consumers.
The FTC’s regulation of data security is in that vein in a very interesting way. They believe, and they have court cases to support this, that if companies in this country aren’t adequately protecting consumers’ data and are not taking steps to safeguard that information, and meeting sort of like a minimum threshold, that’s an unfair deceptive practice because, in essence, the FTC assumes that everybody in this country knows that their data needs to be secured, and by doing business, they assume that you will secure it, and if you don’t, you can be held liable. And it’s a revolutionary concept that’s been generally looked with favor on in the courts and people have accepted it.
You know, the other area where the FTC regulates is, it’s a little bit closer to the traditional practice, which is if you make a promise in a public statement to consumers like, “We encrypt your data, and it’s very safe,” or, “We delete your data after six weeks,” and they find out that you haven’t done those things, that you’ve basically lied to the public, they’ll come down on you very hard. And, you know, some of the consent orders that the FTC has entered into with companies that have done, you know, just that in the last few years are incredible. I mean, millions of dollars in fines, 20-year consent orders with Uber, for instance. They need to provide an audit to the FTC every year for 20 years. It’s really interesting to see how aggressive and how robust the enforcement policies have been from the FTC. So in this country… Go ahead.
Christian: Sorry, and you said that it was Section 5 or Article 5?
Jay: Yes, Section 5 of the FTC Act.
Christian: So, you know, one thing that we’ve certainly seen from a business perspective is there are a lot of people who make a lot of claims about what they’re data is, what it can do, what it can’t do. I think it will be interesting to see, obviously this has been used in the past much more around things like, I know like, for example, “three out of four dentists agree” on the Crest commercials. That was partially because they had to show, you know, statistical validity to that data point. I think we’re going to see a lot more of that as people use data more and more, but it really has to be balanced with everything you’re saying, which is, you know, keeping more data and using it is going to have some big ramifications, in you know, Uber’s case, 20 years. But, it kind of brings up another question, which is, how do you see… Do you see changes coming in the U.S. regarding this? Or, you know, do you think it’s, is the framework big enough now, and is the clause elastic enough, so to speak, that they can kind of get done, what they want to get done?
Jay: Well, I think with the regulatory power of agencies, almost always expands in times of congressional gridlock. Agencies tend to really see that as their time to take issues into their own hands, to issue regulations and to go out, and you know, whether it’s a presidential administration cutting regulations or expanding it, a lot of times, that doesn’t really matter. It’s lip service because the real enforcement authority comes from enabling acts like the FTC Act. So, do I think there’s gonna be a comprehensive data security law in this country in the next few years? No. I don’t. You know, in 2015, we had the Cyber Security and Information Sharing Act, which was a relatively narrow, but interesting, for reasons we can discuss another time, law about information sharing among companies related to data security and the European Union is actually pushing through an analog to it over there related to national security. But here in the States, I don’t see much appetite in either party right now for a comprehensive data regime.
Christian: Absolutely makes sense. You know, I think we’re set up for some really interesting back-and-forths between global companies and regulators, but as you pointed out, this is not merely just a, you know, large company or a global company problem or a concern. It really touches upon everyone. There is no carve-out for mid- and small-sized companies to comply with these things.
Jay: Yeah, absolutely. I think the goal is to at least be fluent enough in the various laws and regulations that are out there that you can sort of know the unknowns. And, you cannot wander into a situation where you’re putting yourself at risk b, you know, for instance, doing that data hoarding. It may seem like a good idea, and it may be okay, but if you don’t understand the concept of data minimization under the GDPR or you don’t have a counselor or adviser or lawyer or anyone who can explain that to you, you’re opening yourself up to potential risks. That’s why being data smart is really about, first and foremost, understanding the rules, understanding what’s out there, understanding what you have, so that you can make an informed choice.
Christian: Absolutely. Well, thank you, everyone, for listening to this episode of “Are You Data Smart?” and we’ll be back next week with more information diving into some data strategies, and how they also will be affected by upcoming regulations. Thank you, everyone.
Jay: Thanks again.
One thought on “E2: Are You DataSmart? tackles the DPO, FTC, and several other TLAs”