As retailers head into the holiday shopping season, the ghosts of privacy breaches past may come to mind just as easily as the 12 days of Christmas carol! From Target to Michael’s to Neiman Marcus, retailers remember these headlines well. Given the challenges presented by a thorny regulatory and litigation landscape and recent privacy and data security crises, data privacy concerns have become a board-level issue. Here are 12 key privacy questions to ask your business teams so that the ghosts of privacy breaches past don’t become the ghosts of privacy breaches present.

1. What jurisdictions do you do business in and what jurisdictions are you targeting? Are you marketing globally?
2. Where are you collecting and storing your data? Specifically, are you storing any data in the European Union (EU), APEC, Canada, California and/or Vermont?
3. Do you use digital marketing (e.g., targeted ads)?
4. How are you managing privacy? Do you have written privacy policies and procedures? Do you have both website and employee policies? Do you have a chief privacy officer or privacy leader/task force?
5. Have you conducted a risk assessment and, if so, what are you doing to mitigate risks?
6. Have you implemented a privacy and data security impact assessment process, particularly for any new products that may implicate privacy/security concerns?
7. Do you have sufficient data security safeguards in place, such as an incident response plan and/or an auditing mechanism?
8. Do you have a vendor management program?
9. Do you use artificial intelligence (AI), Internet of Things (IoT) or machine learning in your business?
10. Do you collect biometric, medical or health/wellness/fitness data?
11. Do you have an incident response plan and other security governance policies?
12. Have you conducted a recent table top exercise to prepare to respond to an incident?

By answering these questions, you will have a better sense of your privacy and data security risks. The next step is ensuring that you are aware of privacy and data security legal developments as it is a complex, fast-evolving field.

In May 2018, the General Data Protection Regulation (GDPR) went into effect in the EU, ushering in a new, sweeping privacy and data security law framework that affects not only businesses located in the EU, but also companies that offer goods and services to EU residents or monitor their behavior. Then, in June 2018, the California Consumer Privacy Act was passed—a landmark law that, like the GDPR, will impose far-reaching requirements on businesses to protect consumers’ personal information.

Other notable developments this year include Vermont passing a data broker law in May, Chicago introducing a data protection ordinance in June, Japan and the EU agreeing on a reciprocal finding of adequacy in July, and China enacting its Cybersecurity Law last year. These recent global developments have underscored the need for retailers engaging in digital marketing, e-commerce as well as in-store promotions to develop a topline privacy compliance strategy. To do so, you must first determine the applicable jurisdictions and then develop privacy and data security practices that comply with the jurisdictional requirements. A comprehensive review of your business practices in collecting, using and sharing personal data, as measured against the applicable regulations, is critical in avoiding legal pitfalls and enforcement actions.

[View source.]