Key Elements of an Effective Data Privacy Compliance Program

Photo by Fernando Arcos/Pexels

A single data security incident can have a massive impact on an organization’s reputation and finances — which is why companies should ensure that the data they collect remains private. New regulations such as the GDPR and CCPA, as well as the cunning and gall of cyber hackers, requires every company engaging in data collection to implement rules within its own organization to protect private data. This does not mean merely passing out a manual with a Data Incident Response Plan, but truly changing the corporate culture through an effective data privacy compliance program.

Rockridge® takes a step-by-step approach when helping companies curate their individual data privacy compliance programs. Here are the key elements to get started:

1. Lean In with Leadership

It’s difficult — nay, impossible — to change something as significant in a company’s culture as privacy without first gaining the approval of company leadership. While regulations and their fines for noncompliance are certainly motivating for jumping on board, many companies still hit pause when they realize the cost of compliance, which can range in the tens of thousands (training, new software, legal fees, etc.). There are enough case studies in existence at this point to easily show leadership the true value of new privacy policies and procedures, especially when compared to the financial and reputational risks at stake.

2. Pick a Protection Officer

A Data Protection Officer (DPO) is an individual who manages the privacy controls of an organization and works with officials should a breach occur. This position is required under the GDPR for companies that process certain sets of data. Smaller organizations that are not required to have a DPO may still find value in assigning an individual or team with a set of similar responsibilities. This forward-thinking assignment designates a central point person/team for reporting suspected breaches and suspicious activities that employees, vendors and customers can utilize.

3. Deal with your Data

What data, exactly, does your organization collect? Where is it stored? Who has access to it? Data is not merelyinformation consumers provide to your organization directly, through contact forms and such, but any other information collected, i.e., analytics, notes, etc. It’s not possible to protect data until you can pinpoint the entirety of what is collected. The DPO (or team) should create a data inventory that cites what data is collected, the purpose of the collection, and whether consent was obtained to collect and use the data for the purpose listed at the time of collection.

4. Read the Regulations

Not every privacy law applies to every company. And there’s more laws to deal with other than the GDPR and CCPA, although they might be the furthest reaching. If you are concerned about whether data privacy laws apply to your business, speak to a data privacy attorney who can provide an advisory specific to your business. You can also check out the Rockridge® privacy hub on our website.

Whether certain laws will apply to your business does not necessarily depend on where your business is located or your state of incorporation. You do not have to be in the EU or California for the GDPR or CCPA in order for those laws to reach you. The individuals you collect from, the size of your business, and the categories of data you collect will determine whether privacy regulations will apply to you.

5. Publicize your Privacy Policy

Once you have defined what metrics are required to be in place by various privacy laws, create procedures for employees and vendors to follow when collecting and handling consumer data. Procedures will vary from organization-to-organization, but should include the necessary steps for obtaining consent from consumers, retaining records, securely disposing of data, and honoring requests for deletion and handling other complaints and requests. These procedures should be outlined as rules for your organization to follow and further displayed to consumers through a public-facing privacy policy. Both the procedures and policy should be clear, concise and consistent.

6. Create some Controls

Looking back at the data inventory you have created, you may need to change how your organization stores and secures data, based on the risks of breach. Certain financial or confidential information may need to be stored locally on a secure server, rather than on a cloud. Certain employees may not need to have access to a full data profile, if not relevant to their job duties. Further, depending on the kind and amount of data your organization collects, you may need to invest in cyber insurance as a financial aid to expensive security breaches.

One powerful control metric is to create a Data Incident Response Plan that outlines possible risks and the company’s prepared response. Such a plan would include the steps company employees and leadership should take in the event of a breach, assign responsibilities and tasks to certain individuals within the organization, and list contact information for parties that could assist with a cyber threat (PR firm, law firm, tech consultants, etc.).

7. Train your Team

Privacy is everyone’s responsibility. A company’s culture does not change unless every individual involved in trained for protected privacy.And when it comes to privacy, team training is often the most important element to securing data, because most data breaches are the result of human error.

This piece is so important, in fact, that we’ve created a whole separate article just to discuss it. You can check it out here: 3 Steps to Creating a Culture of Privacy Protection.

8. Check for Changes

Lastly, ensure that your organization is engages with its community and industy to stay abreast of new developments and standard practices under privacy law. Depending on the type of data your organization handles, your DPO may need to meet with company leadership on a regular basis to discuss what’s happening in the realm of privacy and what changes the company should make in response. Further, privacy procedures and policies should be reviewed as often as new data vendors are acquired or new privacy practices are implemented. A change of data collection and usage practices without notice to consumers could result in fines.


Implementing a culture of privacy protection is the wave of the future, especially in a competitive world where data is at the core of every organization. Counsel at Rockridge® can assist your organization with establishing an effective data privacy compliance programthat fits your business to ensure that you remain ahead of the curve and out of regulators’ sights.

About Lauren Hughes

Lauren Hughes is the privacy and branding lead at Rockridge Venture Law®. Equally adept at creative campaigns as well as technology transactions, Lauren leads clients through copyright, privacy, regulatory, and trademark considerations in optimizing successful e-commerce portfolios. She is a leading voice among women practicing in technology and tech law. Her primary practice areas include copyright and trademark law, data privacy, sports and entertainment law, and technology transactions. Lauren also leads the Knoxville Technology Council’s Women in Tech Committee, and is a Director of the Tennessee Women’s Theater Project. Read more about Lauren, connect with her, and Calendly her.

RVL® Articles by Lauren

What are the Benefits of a Registered Trademark?

5 Steps to Protecting Buyers’ Privacy and Data

The California Consumer Privacy Act Doesn’t Apply to Me, Does It?

Certification Marks / Trustmarks in E-Commerce

GDPR for Small Businesses

3 Steps to Creating a Culture of Privacy Protection

About RVL®

Rockridge Venture Law®, or RVL®, was launched in 2017 to become the preeminent intellectual property and technology firm across the Appalachian Innovation Corridor. We have offices in Chattanooga, Durham, and Nashville, and represent clients and interests globally. Our services include all aspects of intellectual property, litigation, M&A, privacy, technology transactions, and ventures.

In 2018 and 2019, we were recognized as B Corp Best for the World for our commitment to triple bottom line business practices. RVL® is also certified by 1% for the Planet for its nonprofit partnerships advancing stewardship and sustainability. RVL’s nonprofit partners in 2020 include Green|Spaces, Living Lands and Waters, Mustard Seed Ranch, and the NC State Lulu Games Social and Environmental Impact Competition.

Our pioneering environmental and social impact programs attract top-notch legal talent and assure our clients of missional Rockridge Venture Law alignment with their corporate values. Rockridge uniquely addresses two modern profit drivers: innovation (uptake and development), and corporate social responsibility. We’re Building Today’s Company for Tomorrow’s Economy® by leading clients through the dizzying array of information controls, by helping them to develop and monetize proprietary assets, and by enabling their impactful products, programs, and principles.

Learn about global impact and innovation leaders at Rockridge I-Suite®.

See case studies on how we’ve helped transformative companies at Rockridge Portfolio.

Please note that this guide is for informational and advertisement purposes only. The use of this guide does not constitute an attorney client relationship. As laws frequently change and may be interpreted differently, RVL® does not in any way guarantee the accuracy or applicability of this information.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rockridge Venture Law®

We’re an intellectual property law firm + certified B Corp focusing on innovation + corporate social responsibility.