CCPA Priorities: Turning Legislation Prep Into a Program Shift

The California Consumer Privacy Act is bringing sweeping change. This anticipated shift to the U.S. privacy landscape is just the beginning, with other states following California’s lead, including Nevada, which enacted new privacy legislation just last week. While many affected companies approached the E.U.’s General Data Protection Regulation as a compliance project, they have now learned this growing trend requires a broader program shift. In this first installment of a two-part article series, we explore recommended privacy program goals in light of the CCPA, how to make the case for a holistic approach to implementation and why detailed compliance work should be ongoing. Part two will focus on how companies should prepare for two areas of the CCPA requirements – vendor management and data subject rights requests – which experts agree need to happen no matter what amendments to the law may pass. See also our two-part series on preparing for the CCPA: “Securing Buy-In and Setting the Scope” (Feb. 27, 2019); and “Best Practices and Understanding Enforcement” (Mar. 6, 2019).

Irish Data Protection Commissioner Helen Dixon on Breach Notification, the Role of the DPO and a U.S. Privacy Law

“GDPR enforcement is coming,” Ireland’s Data Protection Commissioner Helen Dixon told the Cybersecurity Law Report, and “companies should not be complacent” just because there have not been large actions yet. We spoke with Dixon about the potential for private rights of action, her experiences so far with breach notification, her examination of the role of the DPO and her advice for the U.S. Congress as it considers implementing a federal privacy law. A previous article featured her insight on the timeline of investigations, her enforcement approach, lessons she has learned and why the €50‑million fine against Google was levied in France and not Ireland, as well as insight from U.K. and Austrian regulators who spoke at the recent IAPP conference on the roles of their agencies. See our three-part series analyzing early GDPR enforcement: “Portugal and Germany” (Jan. 23, 2019); “U.K. and Austria” (Jan. 30, 2019), “France” (Feb. 6, 2019).

FINRA RegTech Conference Reviews AI, RegTech Adoption and Compliance Challenges (Part Two of Two)

Regulatory technology (RegTech) can help financial services firms comply with legal requirements by, among other things, automating processes and digitizing records. Although RegTech can reduce costs and increase efficiency, it does not come without challenges, such as properly training systems with appropriate data. FINRA recently analyzed these and other issues in a conference focused on RegTech that featured regulators, financial services firms and subject matter experts. This two-part series covers the second half of that conference. This second article examines the benefits and challenges of artificial intelligence; approaches to the adoption of RegTech; and associated compliance challenges. The first article discussed the portions of the conference that focused on digital identification, suspicious activity reporting and machine learning. For coverage of the first half of the conference, see our two-part series on understanding regulatory technology: “Tools, Challenges and Regulators’ Views” (May 1, 2019); and “Current Uses and Deployment Considerations” (May 8, 2019).

Twitter Adds Senior Data Protection Counsel

Saira Nayak, a former corporate privacy counsel for Amazon, has joined Twitter as senior data protection counsel. For more coverage of Twitter, see “Takeaways From 2018 COPPA Developments and a Forward-Thinking Approach to Compliance” (Mar. 18, 2019).

OCC Welcomes Vice President, Deputy for Information Governance and Data Privacy

Christina Ayiotis has joined the Options Clearing Corporation in Chicago as vice president, deputy for information governance and data privacy.