Companies used to have an easier time complying with regulations, but compliance has really never been a straightforward endeavor. In the past, there was one set of rules for businesses to obey, the local rules in the place where companies do business. If the business expanded into new parts of the world, they would have to comply with new rules, but these would apply only to those new territories.
The global economy means an end to this approach. Companies hoping to grow can no longer stay siloed in their states, regions, and countries, and need to abide by regulations beyond their borders. Whether it’s a company in Indiana hiring remote workers in Scotland, or one in Dundee hiring a contact center in India.
It’s especially true of data privacy laws, thanks to the ease of moving data between different regulatory regions, sometimes without realizing it. With the cloud, companies can have servers anywhere, but if they don’t take good care, data can end up being stored in or transmitted through parts of the world with different regulations, and compliance efforts may have been wasted.
Plus, every country’s regulatory body has its own ideas about how far it should go in protecting its citizens and what that means for businesses collecting and processing data. Making life easier for businesses comes second to protecting privacy— but it does mean businesses have to make sure they are following the rules wherever they store, collect, or process data.
This combination of cloud services and a patchwork of shifting regulations means that it would seem impossible to work with data and meet every demand of data privacy. But there’s a way to make compliance easier again—if not easy.
Cut the “Gordian Knot” of regulation
Companies don’t have to “boil the ocean” when it comes to compliance. Don’t overthink and overdo projects if it’s possible to simplify and spend less time on something that covers all the requirements.
With privacy, it’s the exact opposite. Make data privacy a core value for all businesses this year for one big reason: consumers and businesses have become more aware of how their data can get used and misused and this increasingly informs their decisions to share it or not. It’s easy to dismiss these concerns, but consumers are more aware of these issues than one might assume.
So, if not boil the ocean, then businesses at least may want to raise the temperature enough that it’s comfortable to go for a swim everywhere.
GDPR has become the highest standard of data privacy law in the world, and the majority was codified into the international standard ISO 27701. The EU takes this so seriously that in 2020 the Schrems II judgment invalidated the Privacy Shield, the international agreement that allowed companies to export data to the U.S.—under GDPR transfers outside of the EU are prohibited unless adequate safeguards are provided.
By adopting the standards of GDPR, no matter where a company holds or processes data —aka a “GDPR Everywhere” strategic businesses know that they are meeting a very high standard and can boast about maintaining these standards where rivals can’t. And, as GDPR gets used as a template for other countries adopting data privacy laws, it becomes easier to look at how these new laws differ and change appropriately. Mostly, it requires minimal to no change.
What does this strategy look like? Consider GDPR a worldwide standard and enforce it internally, for every company group, every country, and every applicable process. Meeting this higher standard means easily meeting all new standards cropping up—and it also means more efficiency and fewer mistakes, thanks to one universal approach and process.
GDPR may not fit all situations and companies may need to use a vendor that does not comply. An example: a vendor in the U.S. processes only U.S. personal data. Technically there’s no need for GDPR standards here, but not enforcing it means missing out on building consumer and client trust. Making exceptions means creating a new process to learn and can convey that privacy is not a priority. But if it’s absolutely necessary to use a non-GDPR compliant vendor, document everything. Create a supplemental measure assessment, do a full privacy and security review on the vendor, set plans in motion to replace the vendor with a compliant one, and also obtain a written executive risk exception sign-off. Consider this last piece an important documentation trail that proves a business acknowledges and accepts the risk because using the vendor is more critical than a breach.
Once a business has adopted a GDPR everywhere approach, it shouldn’t stop there. It’s important to look at the trends. Are there new regulatory requirements in countries where the company doesn’t yet do business? Choose to opt-in! By staying not just up-to-date with regulations, but ahead of them, businesses can turn privacy compliance into not just a way of following the rules, but a differentiator to boast about.
Joey Stanford, vice president, privacy and security, Platform.sh