Sarah Thompson, an innovative and inspirational technologist, is the Chief Product Officer of Siemly LLC, with over 17 years experience in the legal technology field. Her career has included leadership positions at LexisNexis, iConect, Dataflight, and Zapproved, all leading world renown legal technology companies.
Siemly LLC is a woman owned legal technology company that focuses on automating regulatory workflows for consumer data privacy requests such as those required by the General Data Protection Regulation (GDPR), and the California Consumer Protection Act (CCPA). These regulations allow consumers notable rights when it comes to the protection of their personal data. If covered companies do not comply with the consumer’s requests regarding this personal information, they could face both regulatory fines as well as private action in the case of California. The Siemly platform saves companies thousands and sometimes millions of dollars by helping them manage consumer requests in an automated and defensible manner.
I spoke with Sarah Thompson who is responsible for the vision and implementation of the Siemly platform. Sarah has stated, “we are giving companies a really easy method to implement an automated, repeatable process that can withstand regulatory scrutiny.” She easily explains the concepts behind regulating privacy, a subject that is becoming a daily conversation.
For those of us that are not exactly sure what you and Siemly do, can you explain the concept of Siemly as the Chief Product Officer?
Data privacy is a hot topic. In the legal field however, many consumers don’t know about the new privacy regulations that are emerging around the world. Globally, we are entering into this era of data privacy. It really starts with the Internet. Because the Internet has exploded, all of our business is online, our kid’s pictures, our credit cards, our conversations…our most private of information. Until two years ago there were no laws that governed the privacy of the individual. In 2018, the GDPR (General Data Protection Regulation) came out in the EU. This was the first data protection regulation that was ever enacted. It covers every European Union citizen. What it stated was that the people who are residents in the EU have rights when it comes to their personal data. Such rights include knowing what data a company has collected from them, why they collected it, and whether they sold or shared that data. Consumers can even request to have their data deleted. Basically, they gave people control over their own personal data, something they never had before and if companies don’t comply, they can face some very serious fines, in some cases these penalties can be millions of dollars. So why was this regulation needed? Let’s think about Facebook. Facebook had a hack in 2018 and they stole millions of people’s most personal information.
That same year, Mark Zuckerberg had to testify to both congress and the EU parliament about what he is doing to make sure this doesn’t happen again. Most people at the time had a Facebook account and assumed that their data was secure. If you asked most people, they would never think that Facebook was sharing or selling their most personal data. Here are these tech companies that we are using every day for “free”…well these are not free services. These companies analyze our behavior, conversations and data in order to better sell products and services to us. Facebook, among others, are making money, a lot of money, even billions of dollars, from the selling of their user’s personal information and they weren’t being transparent about the fact of what they were doing. Companies like Facebook were burying this information deep in their privacy policies which no one was reading. Again, people have this assumption that companies are going to take care of their data, that it will be safe and secure. That is an incorrect assumption. Prior to 2018, there were no laws stating that companies had to do anything to protect a consumer’s privacy. So, imagine that here you have your most private data, your texts, your conversations on messenger, and then the company gets hacked, those hackers now have your information and can use it for criminal purposes. As an example, an elderly family member recently received a call from somebody saying that her nephew was in jail and they needed money for his bail. She paid it and of course, this was a scam. Her Facebook was hacked, and the hackers were able to identify her name, age, and the names of her friends and family members. They could even see her conversations. With this information they were able to successfully target her and knew just what to say to get her to part with her money. So, we are talking about some pretty serious stuff that is going to be happening more and more. The EU implemented GDPR in order to give citizens control, and to make companies transparent with what they are doing with EU resident’s data and accountable if they do not take the appropriate measures to prevent it from being stolen.
How did California become involved?
California took notice of the EU and they passed a regulation in 2018 called the California Consumer Privacy Act (CCPA) which will come into effect on January 1, 2020. It’s modeled after the GDPR, so it’s very similar with a few major differences. California fines are on a per individual basis so may seem smaller than GDPR, but can accumulate quickly if many individuals are breached and they also allow for California residents to sue companies for not protecting their data if the company experiences a breach. The regulation also recognizes that not all companies act in good faith in respect to their client’s privacy. The CCPA has specific requirements as to how companies need to be transparent about what they are doing with California residents’ data and impose bigger penalties if the violation is found to be intentional as opposed to a mistake.
On top of that if a company is hacked, every California citizen that they have collected data from may have the right to sue. That’s called the “right to private action.” Private citizens were never allowed to sue a company before for being sloppy with our data. So, for example, say Facebook was breached you may be able to sue for up to $750.
When is this law going to catch the attention of New York say, for example?
This CCPA comes into effect in January of 2020 and there are 15 other states that are currently in the process of developing data privacy regulations, and NEW YORK is one of them. We can expect more states to follow. We also see data privacy regulations modeled after GDPR internationally in countries like Brazil for instance.
Really there should be a Federal regulation so that it’s not state by state. In the current political climate, there is a trend towards de-regulation but with data breaches becoming the new normal we will hopefully see regulators taking notice and eventually action.
I was watching something like that on television right before I called you.
Right, it’s becoming big news. So now that citizens are being awarded these rights globally, it requires that they have a method to exercise theses rights. The way that citizens do so is by submitting a request to a company called a “data subject access request” or “DSAR”. Each privacy regulation has specific DSAR requirements that may differ slightly, but basically covered companies have to make it easy for consumers to submit a DSAR and they have to complete their request quickly. For instance, in the EU, when a citizen submits a DSAR the regulation states that the consumer’s request must be completed within 30 days, whereas for California it will be 45 days with some exemptions. If they don’t respond quickly then they can be fined. This process can of course be quite burdensome for a company to address depending on the volume of requests they received.
So, can companies manage these requests without investing in a technology solution?
Sure, they can, and many are. The regulations do not require that you use a tool to manage these requests. Some accept DSARs via email or even paper requests and then track who did what, when in a spreadsheet for instance. With no automated process they will need to respond to every request manually. With no repeatable process they can easily forget to perform required steps. With no alerts and reminders, they can easily miss deadlines. With no approval process they can easily send responses or delete data they shouldn’t have. The company is really putting themselves at risk with a manual process that will very likely not stand up to regulatory scrutiny.
So what does Siemly do to help them with this process?
We help businesses by relieving the burden of handling DSARs. We make it easy for them to plug in a request form to their websites, we automatically verify the requestor’s email address, we automate responses when we can and when we can’t, we make sure that the right people are alerted to work on the request, remind when deadlines are approaching and the right approvals are required before sensitive tasks are performed.
What we are doing is saying to companies “we are going to make it easier, cheaper and faster for you to respond to these consumer requests”. Our product allows companies not only to automatically reply but we make sure all the steps are taken so that they don’t jeopardize themselves. If the California regulators go in and say, “I want to have a look at what you did”, they will have a very clear process that can show that they did these things, on these days, and here’s who did it. We track everything that’s done in our system so it can withstand regulatory scrutiny.
That’s awesome. What was your inspiration?
I’ve been working in the legal technology sector my entire career, almost 17 years now. I have built, taught, designed and led managed service offerings for some of the top legal tools out there. Litigation tools are of course, used in litigation and therefore have some very specific requirements. Whether the software is used to review evidence, forensically collect evidence or send legal holds, you must be able to show who did what, when, so that if the data or process is ever challenged in court, you can prove that you weren’t doing anything untoward, or sketchy if you will. For instance, if you don’t collect evidence in the right manner, what we call a forensically sound manner, then it could be thrown out of court. You have to make sure that you can prove, to a judge, that the data was not tampered with and as you can imagine, opposing counsel was always trying to get the evidence thrown out so it had to be a bulletproof process. Working in this field taught me why maintaining an immutable audit trail was so important and why we had to be very diligent to record every little action to prove that data was not tampered with. We brought that concept over to the Siemly platform so that when a company’s process of handling DSARs is called into question by regulators, companies can easily demonstrate to them exactly what was done, when and by whom and that the process could withstand regulatory scrutiny.
We are giving companies an easy method to implement an automated, repeatable process that can withstand regulatory scrutiny, and we’re going to do it at a really fair price. It’s going to help companies save a lot of time and money by avoiding regulatory penalties and reducing the amount of time and resources they need to spend responding to these requests. I think it will also demonstrate to regulators and consumers a commitment to data privacy.
For more information go to https://www.siemly.com
Find out if your business is exempt under the California Consumer Privacy Act (CCPa) here: