Technology and Law: Why CTOs Should Be Concerned With Both

When I first became a Chief Technology Officer (CTO), I knew there would be some interplay between my role of implementing technology and our company's legal exposure. Back then, the main concerns were around copyright and intellectual property — easy concepts to grasp and relatively easy to protect your company from. Wow, how things have changed.

These days, there are legal implications for a CTO that affect everything from the codebase you use to how you store data to how you contact your customers to how you display information... the list goes on and on. Add the fact that many regulations vary from state to state and country to country and you are left with a patchwork quilt of regulations that at times can feel impossible to manage.

In this article, I'll dive into some of the issues CTOs should have on their radar and a few strategies to help you be successful in mitigating those issues.

Data Privacy

One major change in recent years is how companies manage customers' data privacy. In 2018, the European Union passed the General Data Privacy Regulation (GDPR), which outlines individuals' rights regarding the handling of their personally identifiable information (PII). These rights include the right to data portability and the right to be forgotten. In addition, the GDPR includes extensive rules on how a customer's data can be stored, utilized and shared.

To encourage compliance with the GDPR, several key decisions were made. First, the law wouldn't apply just to organizations based in the EU. It applies to any organization that is targeting an EU audience. Secondly, penalties for not complying are harsh. Many violations result in either a 20 million euro fine or 4% of an organization's annual revenue. Lastly, it greatly expanded what was considered PII. Under the GDPR, something as simple as an IP address is now considered PII. The GDPR became a template for other legislation, guiding other countries to implement their own privacy legislation.

As a CTO, data privacy has huge technical ramifications. Along with ensuring you have the necessary steps in place to properly gain customers' consent and ensure their data is properly utilized, there are also functional requirements. How do you properly give a customer insight into all the data you are tracking on them? How do you facilitate the right to data portability so they can export their data? How do you enable a customer to have their information forgotten, while still ensuring you retain the data you need for other legal requirements? All the while factoring in things as simple as using Google fonts can cause you to run afoul of GDPR.

Data Sovereignty

Data sovereignty defines whose regulations data should be subject to. For example, if you collect data about users in the EU, specific laws may apply that are different than for users in Canada. Additional data sovereignty rules can affect how and where you can transfer data. Data sovereignty used to be less of an issue since many countries had agreements, such as the U.S./EU Safe Harbor Agreement that allowed transfer of data out of the EU to the U.S. and vice versa. Unfortunately, with revelations of the NSA Prism program, which was ingesting a massive amount of data, EU officials invalidated the agreement and a new one has yet to be implemented.

In that gap, many organizations (the one I lead included) are forced to keep data in regional datacenters specific to the origin of the data and never transfer it. Sensitivity to data sovereignty will continue to be a complex topic, especially since segmenting data to multiple regions poses unique technical challenges.

Data Breach

Beyond the huge ramifications for an organization that has a data breach, there is now extensive legislation on the length of time an organization has in which to notify its customers of a breach and what they are liable for. There are implications here at the international, national and state level.

Regional Rules

Did you know that any company doing business in Québec must legally use French in their interface by default? Or that most of Europe is moving toward electronic invoices that must be delivered via a central-government-mandated system? Or that in Australia you can't use unreversable encryption or you may face steep fines? As governments increase regulations on technology, the regions you are doing business in will greatly determine what laws you need to comply with.

Strategies For Mitigation

So how can you be successful in this environment? Here are some takeaways:

1. Educate yourself.

Law, like technology, depends highly on logic. There are amazing resources online to help break legislation down into understandable bits. Although your legal counsel understands you can't share customer data without consent, they may not understand all the potential places you could leak an IP address to a third-party partner. This is where understanding both the law and technology can be a real asset.

2. Expertise is regional and specific.

Although your company may have excellent counsel, many regulations are region- and industry-specific. With the internet, your corporate nexus and liability are greatly expanded. Look at the regions where you are targeting customers and make sure to engage legal experts who can help you navigate compliance in those regions.

3. You are hitting a moving target.

The legal and compliance landscape is changing. Court rulings change the interpretation of existing law and new legislation adds new requirements. The good news is that as a company lays the groundwork for compliance, the process becomes easier in the future.

4. Much of this is reasonable.

As a technologist, it's easy to feel the people passing legislation don't understand the real-world implications. The GDPR in particular was a game changer for many companies, and some simply refused to do business with an EU audience. However, as a consumer, I recognize the value of legislation to better protect consumers and ensure businesses are acting in good faith. With technology being a core part of daily life, this type of regulation is reasonable and necessary.