Legal & Privacy – Communication is Key🔑

May 26, 2024

One of the key relationships in any organization is the one between the legal team and the privacy function. How do you ensure good communication between these two key functions and make sure everyone is on the same page? Here’s a recap of a recent LinkedIn Live chat between my colleague Dr. Avishay Klein and Daniel Neiger, VP Legal at HiBob.

1. The privacy function. Privacy is complex, the challenges differ from company to company, and so does the necessity for a privacy specialist. Whether the company decides this function should be filled in-house or externally (or both) there’s no one-size-fits all solution and each company needs to figure out what works best.
2. The interface between legal and privacy. Understanding the business, understanding the industry, and understanding the “risk appetite” of the organization is crucial – both for in-house, but especially for external advisors. It’s key for the privacy function to be in sync with the goals of the legal team, but also know where the limitations and “red-lines” are.
3. Business vs. regulatory considerations. It can be helpful to create internal policies, procedures and playbooks, but these should be a baseline for how things should operate, and must not be treated as “gospel”. This is where the privacy pro’s experience comes into play. It’s important to leave room for discretion and rely on the experience of the professionals in any given case. The playbook should cover 80% of the scenarios, with 20% left to the discretion of the privacy professional, without the GC needing to get involved.
4. Setting expectations for the privacy role. The in-house function needs to have deep knowledge of both privacy laws and of the company’s documentation (policies, DPAs, etc.). They need to know where the sensitive areas are, the issues that are business-critical, and they need to walk the tightrope between the regulatory requirements and allowing the business to propel forward. Another crucial skill for the in-house privacy pro is to know when and how to escalate issues to the external consultants, be they DPO or external counsel. The external advisor on the other hand needs to know when to “raise the flag” and say “hey, you should think about that again before you sign off”.
5. Cooperation and coordination. GCs have many many risks to manage, privacy being just one of them. One of the best ways to cooperate is to ensure the internal and external functions are in constant contact, getting updates, collaborating, keeping each other informed and up to date. The external function must stay up to date on trends in the market and in the regulation and update the internal teams, including legal and product. External advisors shouldn’t just “drop knowledge” on their client, they should actually take an interest, go the extra mile, and give their client practical tools and solutions as opposed to simply imparting knowledge and “dumping” templates on them.
6. Building a compliance culture. Some “old school” companies have a long-standing culture of compliance, which is less common in contemporary startups. Hibob is an example of a company that started from day one with a great organizational compliance culture, which keeps maturing and improving as the company grows. The legal team is by no means everyone’s favorite, but over time it has demonstrated that it isn’t a business blocker but an enabler, and this is true for privacy compliance as well. Culture is deep-rooted. When companies IPO or have an M&A event, compliance and privacy become a big ticket item. Adopting this type of “compliance culture” early on (e.g. putting in place “privacy steering committees”) is super helpful, and ensures the process goes smoothly.

Here is the full recording (in Hebrew).

Photo by jemastock on Vecteezy.com