Introducing the Data Protection Checklist for Brand Owners

By achieving a high level of data protection compliance, brand owners can reinforce consumer trust, thereby increasing brand equity and overall brand value. The Data Protection Committee—Best Practices Subcommittee has produced a “Data Protection Checklist for Brand Owners” to help INTA members spot issues and work towards data compliance. This checklist will be particularly useful for counsel whose responsibilities intersect with applicable data protection laws.

This article describes the data protection issues raised in the checklist. Importantly, neither the checklist nor this article creates or establishes any enforceable best practice or industry standard; this article merely highlights some of the most relevant data protection issues for consideration by brand owners and their counsel.

A useful starting point in reviewing the status of an organization’s compliance with applicable data protection law is to (1) identify the primary function of the business (i.e., does your business provide products or services?) and (2) determine the role and importance of data processing to its operations. The definition of data processing varies from country to country; however, it usually involves all aspects of the collection, modification, deletion, access, and storage of personal data. In general, all data within your organization should be processed lawfully and in a fair and transparent manner.

Next, determine the types of personal data that are being processed. Stricter obligations may apply to certain categories of personal data, such as health records, financial information, and personal data pertaining to children.

Mapping the flow of personal data throughout the organization is also very helpful because it can disclose unknown vulnerabilities based on where personal data is being processed, whether in the cloud or over multiple physical or electronic sites in one or more jurisdictions.

It is therefore good practice to create and maintain a record of data processing which identifies the type of personal data held by the organization and encapsulates how personal data within the organization is processed.

Another good practice is to conduct regular data security assessments, which can similarly help to identify and minimize risks and vulnerabilities. Such assessments involve the analysis of the organization’s systems, processing activities, and the controls related to high-risk data processing activities.

Accountability and transparency with clients and customers are critical to a comprehensive data protection strategy. The company’s privacy policies and notices should be publicly available, be written in a clear and concise manner, and explain the following:

• What personal data is being used and why;
• What data transfers to third parties and why;
• How clients and customers can exercise rights in their personal data; and
• Who to contact with questions or complaints.

Businesses that engage in direct marketing should also consider creating a consent program that tracks the withdrawal of consent to ensure the organization ceases to contact an individual once that individual’s consent has been withdrawn.

Regardless of the size of the organization, employees should be trained and educated on the importance of data protection to ensure a compliant data protection framework. Businesses with international clients, customers, suppliers, or service providers, should pay close attention to cross-border data transfers to ensure compliance with the relevant legislative framework in each jurisdiction.

It should be emphasized that all data subjects have rights with respect to their personal data. Although these rights may vary from one jurisdiction to another, they tend to include the following:

• Right to Data Portability. Data subjects no longer interacting with a company are entitled to request that their data be returned to them or transferred to someone else.
• Right to Rectification. Data subjects can request that a company correct inaccurate data held about them.
• Subject Access Requests. Data subjects can request the details of information that is held about them.
• Right of Erasure. Data subjects are entitled to seek the removal or erasure (right to be forgotten) of any personal data a company has collected about them.

Businesses therefore should work to ensure that they have adequate technical, administrative, and financial resources to respond to these types of requests from data subjects.

Implementing adequate administrative, technical, and security safeguards in the processing of personal data boosts brand protection and promotes brand value. These safeguards can be enhanced through various forms of external certification, such as International Organization for Standardization (ISO) certification. These safeguards also involve procedures for handling data breaches, including when and how to report data breaches to data protection authorities, as well as impacted clients and customers.

Awareness of the issues raised in the checklist will help a company get well on its way to a stronger data protection program, with increased brand equity among consumers and increased brand value.

Download the Data Protection Checklist for Brand Owners.

Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest. 

© 2023 International Trademark Association