One of the fundamental challenges in creating an effective data privacy and protection program is that there is no single “global privacy law” to tell us all how to handle personal data.
For example, while the General Data Protection Regulation (GDPR) applies to the data of residents in all 28 countries of the European Union, 132 countries have put their own data protection and privacy legislation in place, according to the United Nations Conference on Trade and Development (UNCTAD). Still other countries — including the United States — have not even addressed data privacy at a federal level.
However, the United States does have a lot of industry-based regulations, including privacy rules for sectors such as healthcare, finance, credit, and telecom. Add to that the data privacy laws of individual states, and the task of figuring out what you need to do to be compliant becomes even more complex.
The good news is, global privacy laws share some common elements. And identifying those commonalities in the laws provides a foundation for building a successful data privacy and protection program.
8 common elements of global privacy laws
Every data privacy law includes some or all of the following eight elements. However, the specific requirements under each element vary and are often unique to the individual law:
- Creation and collection
- Notice and consent
- Proper use
- Sharing
- Safeguarding
- Data subject access requests (DSARs)
- Data breach management
- Documentation
In addition, different laws may emphasize different aspects of data privacy. For example, GDPR provides guidance for the collection, use, sharing, and security of data for residents of the EU, with particular focus on the proper use of data.
However, the California Consumer Privacy Act (CCPA) enhances consumer privacy rights, such as the information consumers can ask for via DSARs, and imposes new limits on sharing of data. And the New York SHIELD Act expands the state’s data breach notification law and adds new security requirements for collecting data on New York residents.
Achieving compliance with disparate data privacy laws
Because there are so many different requirements under global privacy laws, building your data privacy program around “perfect compliance” with a single, specific law will leave gaps and make your organization ineffective in complying with other privacy laws and regulations it may be subject to.
On the flip side is the impossibility of a “one size fits all” data privacy plan. The reality is, unless your organization has a very limited reach and customer base, you’ll never be in perfect compliance with every data privacy law for everywhere you do business.
What you need is robust and documented processes and policies that demonstrate you’ve made a good faith effort to comply with global data privacy laws. And that requires a thematic and programmatic approach to data privacy and protection using the common elements.
A data privacy framework based on common elements
The advantages of a framework that addresses the common elements is that it allows you to evaluate global privacy laws against an existing context, to determine what you need to do to meet those requirements.
So, when you become subject to a new privacy requirement — whether due to a new law, doing business in a new place, or a change in an existing law — you have a context with which to consider the change:
- Where does it fall within the common elements — for example, does it relate to the area of notice and consent, proper use, and so on?
- What are you already doing in that area?
- Will what you are already doing also satisfy the new requirement? Or can you tweak it slightly to meet the new requirement?
This is unlike privacy frameworks such as those of the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), which use “crosswalks” to show where different global privacy laws correspond. Instead, an operational approach shows not just where there are commonalities, but also what activities you can engage in to be compliant across multiple data privacy laws.
This framework enables you to build an operating model and expand it as needed to increase responsibilities and operationalize new requirements in response to new data privacy laws or provisions. So rather than reinventing the wheel, you can respond more quickly and easily to global privacy laws and adjust what you are already doing to efficiently manage changes.
The key to success: an operationalized data privacy program
Identifying commonalities across different global privacy laws is the key to developing your data privacy and protection objectives, and documenting your strategy for operationalizing those requirements across your organization.
With your data privacy processes and policies well documented, you can respond more effectively to regulators and litigation, to verify compliance with regulatory and legal requirements. Proper documentation also helps you respond efficiently, and correctly, to DSARs and other consumer privacy issues.
And by operationalizing data privacy and protection, you’ll have a robust, defensible program that demonstrates your good faith effort to comply with privacy requirements — which may mitigate penalties and fines, even if you have fallen somewhere short of perfect compliance.
To learn more about global privacy laws and how information governance (IG) can help you achieve and maintain compliance, please contact matthew@bernsteindata.com or watch our on-demand webinar on operationalizing data privacy in a changing enforcement environment.