Exterro – Managing a Privacy Program Across Multiple Jurisdictions

Headline Sponsor - The Data Protection and Privacy Hub

Outlining strict rules on the collection, processing, storage and sharing of sensitive data, privacy laws exist to ensure personal information isn’t used in an unfair, irritating, malicious or potentially harmful manner. 

To achieve this, they stipulate that any organisation can only use data for the purposes for which individuals have given consent – otherwise it must be deleted or removed from storage systems. 

For businesses today, adhering to these privacy laws is business critical. Indeed, it is becoming increasingly clear that consumers demand ethical and proper data management practices. 

According to a recent survey from KPMG, 86% of consumers revealed they are becoming increasingly concerned about data privacy, while 78% expressed fears about the amount of data being collected. Equally, four in 10 stated they do not trust companies to use their personal data in an ethical manner.

Further, the financial penalties for failing to comply with privacy regulations can deal a hugely damaging blow to any business, the $5 billion non-compliance penalty issued to Facebook in 2019 being a prime example. 

The expectations of consumers and governments surrounding the ways in which organisations manage data are growing, and meeting these obligations and fulfilling those expectations is not optional. 

With compliance critical to retaining consumer confidence and avoiding hefty fines, it must be made a priority. However, adhering to data privacy laws is becoming an increasingly complex task.

Geographical disparity brings complexity

There are many basic data privacy principles which organisations will typically need to consider and meet. These include:

• Informed consent: Organisations must obtain affirmative, explicit consumer consent to collect, use and share their data.
• Data minimisation and Retention: Develop operational plans designed to minimise risks with data that is held.
• Purpose limitations: Consider the purpose of data to ensure that it isn’t collected and stored unnecessarily.
• Data subject requests: Produce, correct, and potentially delete all data associated with an individual upon request. 
• Data protection obligations: Obligation to secure data and inform individuals and regulators should it be compromised in the event of a data breach.
• Vendor management: Data shared with a third party must be protected under the provisions of the applicable regulations.

However, complexity arises when organisations are having to meet varied privacy laws across multiple jurisdictions where the actual responsibilities and requirements can differ significantly.

The most far-reaching and renowned data privacy laws currently in place are the EU’s General Data Protection Regulation (GDPR), the US’s California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Yet today, almost all major economies now have comprehensive data protection laws that apply with extraterritorial effect, and those that don’t will have one soon.

Equally, within individual countries, organisations often face a complex mix of sectoral privacy laws. In the US, for example, more and more states are passing their own unique privacy laws that are leaving entities with a complex mix of sectoral privacy laws to face up to.

So, how can organisations achieve best practice for managing an effective and effective privacy program across multiple jurisdictions? Thankfully, despite these challenges, there are several fundamentals that will make privacy programmes more adaptable and responsive to differing and changing privacy requirements. 

Three steps to embracing a privacy-first culture

Taking a centralised approach to data management is an effective, efficient, and scalable way of ensuring your organisation meets privacy laws. 

By making data privacy and protection a priority, it becomes woven into the DNA of the organisation, ensuring the alignment of all parties with clear policies when collecting, processing, using and/or managing data. 

Of course, this isn’t a quick switch. Embracing a holistic data management and privacy strategy can often entail significant cultural change backed by meticulous planning and interdepartmental cooperation. Yet there are three key steps to follow in pursuing this strategy adaptation.

1) Start with a data inventory

To align with privacy rules, entities first must gain a comprehensive understanding of exactly where data is kept, what it consists of and how it is being used is vital. Improving this understanding requires a data inventory – a neatly organised central platform containing accurate and detailed information on all your organisation’s data. These can play a vital role in helping to identify data that isn’t being used, is sensitive, or is subject to regulatory or policy controls. Further, they also outline how risky an organisation’s storage practices are. To both build and maintain a data inventory without placing a massive strain on resources, automated technologies can be used, helping you to find, identify and classify personal information as well as assess data compliance and calculate risk across the entire data landscape quickly, accurately and securely. 

2) Only keep the data you need

Organisations should equally only keep the data they need. If it’s duplicative, outdated, doesn’t serve a specific and explicit purpose, and isn’t linked to a lawful purpose, it shouldn’t be processed. To understand the value (or lack of value) of data, key documentation principles need to be adopted. Outlining key parameters will allow the business to determine what is relevant or excessive, which can then be applied to the elements of personal data and each proposed use. 

3) Work with trusted partners

A key challenge stems from the fact that organisations are responsible for what their third-party vendors do with personal data. Data shared with a third party must be protected under the provisions of the applicable regulations, so entities must ensure they perform due diligence and audits on all partner vendors so that they are not held accountable for data breaches or regulatory violations. Indeed, it is vital to work with trusted partners – if you wouldn’t trust them with your personal data, why would you trust them with your customers’ data? 

The first mover advantage

Evolving and expanding privacy regulations across various jurisdictions can make compliance a daunting task. Yet with the right changes and appropriate policies, data privacy programmes can become streamlined and scalable to meet changing regulatory requirements.

Embracing these need not be a burden. By remaining ahead of the curve, organisations will be able to better break down organisations siloes and use data to innovate, collaborate, unleash creativity more effectively.

Indeed, to ensure compliance in the future, it is critical that firms get their houses in order today.