Since 2018, legal and privacy professionals have witnessed unprecedented change in the realm of data privacy regulation. Since the enactment of the General Data Protection Regulation (GDPR) in Europe, jurisdictions across the globe have revisited past privacy laws and enacted new ones. While in general the laws demonstrated a growing consensus that individuals have extensive rights over how their personal data is used, the particulars of the regulations vary widely.
In the wake of these changes, many states have introduced or passed legislation enumerating privacy rights for their citizens, but much the like globe, the United States remains a patchwork of divergent regulations. To remain compliant, both domestically and internationally, organizations must invest time and energy in staying informed and educated on privacy trends. To help in that regard, Exterro recently hosted a series of webinars titled The Future of Privacy, assembling regional privacy experts and technologists to discuss the complex regulatory framework international enterprises must reckon with today.
This article brings together five key insights these experts provided that can help you and your organization stay on the right side of these trends and avoid negative regulatory enforcement actions. While the experts cited are international, the principles also apply to the United States, as they are widely accepted best practices.
Privacy Best Practice #1: Embrace privacy compliance because it makes business sense, not just as a matter of avoiding regulatory risk.
Dr. Donald Macfarlane, Partner, SBP Law, explains, “GDPR compliance is less about the level and number of the fines grabbing headlines, and more about companies understanding the value in behaving ethically, to be seen doing so, and maximising the value of the data they store.” While of course organizations are concerned about the possibility of facing substantial fines from European data protection authorities, but the benefits of adopting a privacy-by-design approach are proactive too. Organizations and consumers alike benefit from “fair, lawful, and transparent processing of data.” The value isn’t just in services provided—it’s also brand equity with potential customers if your organization is seen as compliant and respectful of privacy rights.
Privacy Best Practice #2: Know what data you have and where you’re keeping it, as well as what data you are transferring and where you are transferring it.
Conducting a data inventory is a foundation for all of an organization’s data privacy efforts. It informs retention schedules, data subject access requests, and regulatory compliance activities. Gesa Schatz, Senior Manager for Forensic & Integrity Services at Ernst & Young GmbH WPG, notes, “Data inventories are critical for businesses in order to be able to quickly react in case of a data breach, an internal investigation, or any request from an individual to delete their personal data (e.g., a former employee). As the amount of data is continuously growing the need for intelligent software and automation in this context will increase as well.”
Privacy Best Practice #3: Integrated privacy solutions can help you comply with different sets of privacy regulations across domestic and international jurisdictions.
Organizations face complex patchworks of regulatory regimes across state and national borders—but adopting a patchwork technology solution won’t work. Using multiple technologies can lead to knowledge gaps, organizational silos, and redundant efforts. One way to avoid such difficulties is by adopting a holistic solution capable of monitoring data under multiple sets of regulations. José Alejandro Bermúdez, Partner, Bermúdez Durana Abogados states, “Organizations need to stand ready to implement comprehensive privacy programs, capable of addressing multiple jurisdictions and regulations in order to effectively comply across borders. This effort will require commitment from the C-Level and adequate training, resources, and investment in technology.”
Privacy Best Practice #4: Privacy compliance is a program and not a “one-and-done” project. Implement procedures, assign responsibilities, and measure achievements on an ongoing basis.
As Rahul Sharma, Founder of the Perspective & Grade Ace, states, “Data protection is not an end in itself. It is a journey, ever-evolving. No company can claim to be compliant with all the provisions the law entails. The law wants companies to build a culture of cybersecurity, data governance, and information privacy protection.” Privacy regulations today aren’t built on a “check the box” and you’re done model. They represent an understanding that data belongs to the individuals it represents, and organizations that use it must have legitimate reasons and show due respect to consumers.
Investing in your privacy professionals, processes, and technology can lay the foundation for a on-going program that isn’t just about compliance, but rather long-term business success. Nina Bryant, Senior Managing Director at FTI Consulting, summarizes the result of recent changes in privacy law, “Organizations now look at privacy with a global lens. They look at the ethical use of data as a boardroom issue, not just a back-office IT issue.”
Learn even more about the current state of international privacy regulations by downloading the Exterro whitepaper, The State of International Data Privacy Regulations Today, now.