Implementing and managing conflicting policies to address regional or global privacy requirements can often lead to confusion.
It forces multinational organisations to be intentional with their data privacy. Not simply put something in place once and forget about it but keep up to date with developing regulatory frameworks and continuously review and revise their privacy programme.
As a basic example, let’s take the deadlines for responding to Subject Access Requests. A company with customers spanning across the EU and Brazil will have implemented processes to allow responses within one month and fifteen days (respectively). Another example is the implementation of marketing or cookie consent on global websites, applying opt-ins to EU-based customers to satisfy GDPR and ePrivacy Directive requirements as well as opt-outs to satisfy the requirements of others (CCPA).
While it may appear easier to focus on the disadvantages of this changing landscape and question the value in devoting resources to addressing these requirements, linking back to my previous post, devoting resources towards baking Privacy By Design into the core of your business will yield positive results. Being intentional about global compliance will be apparent to customers and lead to greater public trust.
As with any element of successfully managing a business, privacy requirements are constantly evolving. By avoiding a “one take” approach, but instead applying a cyclical approach as you would with all other areas of data governance, an organisation can ensure that it remains ahead of the game and compliant in all regions that it operates in. I have created a simple acronym to help identify the steps: DAME (Design, Apply, Monitor and Evaluate) on a regular basis not just to stay ahead of the regulations, but to ensure it is constantly fit for purpose.
- Design how privacy fits in to your data governance and long-term business strategy
- Apply what you have designed
- Monitor constantly to ensure compliance and identify any issues
- Evaluate on a frequent basis whether this is still fit for purpose and the optimal way of achieving what you want.
Written by Larry Coker – Global Data Protection Officer