The global privacy landscape is fractured and rapidly evolving. When GDPR first hit news cycles, businesses rushed frantically to adopt new data privacy frameworks. Today, there are thousands of local, regional, and omnibus laws in motion surrounding data privacy. Data governance has transformed into a full-time occupation, and data privacy can be a regulatory nightmare for businesses that are still using manual data mapping and governance practices.
Today, we’ll take a look at the regional privacy legislation landscape and discuss some of the key considerations for businesses moving forward.
Understanding the State of Regional Privacy Legislation
While omnibus bills like the GDPR and LGPD receive the bulk of media and IT attention, nearly two-thirds of all countries across the globe have enacted privacy legislation. When we go to the hyper-regional level, nearly half of the states in the US have also created their own data privacy legislation in lieu of overarching guidelines.
From a regional standpoint, data privacy is incredibly complex. Almost all privacy bills require that companies follow them if they sell to locals. Given the current state of digitalization, almost every company on the planet does widespread domestic and/or international business.
From a top-down perspective, many of these data privacy bills are meant to be supplemental to GDPR. But many others use completely unique data privacy frameworks — adding to the overall governance complexity. Let’s be honest; GDPR is difficult enough on its own for many businesses. According to recent surveys, around half of EU businesses still aren’t compliant. And, according to GDPR data, millions of small businesses are “ignorance about data security tools” and have “loose adherence to the law’s key privacy provisions.”
In other words, data privacy is difficult. When you start to introduce a whirlwind of regional laws on top of those omnibus frameworks, pain points can turn into sources of IT agony. Of course, it’s entirely possible to adhere to regional and omnibus guidelines. But it requires cross-collaboration between IT leaders, and it certainly requires investments in the right technology.
Let’s look at the two most common frameworks for dealing with these supplemental privacy laws.
Complying to Local Standards: A Tale of Two Cities
The majority of organizations fall into two buckets. They either try to comply with each standard using unique, disparate policy frameworks, or they take a broad approach that goes above-and-beyond the most complex standard.
The Granular Approach (a.k.a “The Logistical Nightmare”)
For some organizations, this rush of data privacy standards can be scary. You may look at the current landscape and attempt to break down exactly what data privacy legislation you need to follow and then attempt to comply with those specific standards. After all, the fewer privacy standards you have to follow, the more control you have over your data architecture… right?
Here’s the problem. This method is impossible. We don’t mean that as hyperbole. It’s literally impossible. There are too many. For starters, virtually every business (regardless of size) does business across borders. In fact, 4 years ago, 54% of small businesses were already directly marketing to overseas audiences. And, the more areas you do business in, the more data privacy standards you have to comply with. Given that we’re seeing new standards pop up nearly every week, you’re going to have to constantly adjust and reframe your policies.
Even if you’re one of the few businesses that only operates domestically, you still have to comply with state-by-state standards. And these are also growing daily. In a nutshell, this strategy only works for small businesses that only do local business. Outside of that small group, trying to create policies and workflows around each separate privacy standard would completely disrupt your daily workflows and business objectives.
You would have near-daily business interruptions. A constant supply of new policies. And a fair amount of angry IT employees. But, let’s cut to the chase. The majority of businesses that are taking this stance aren’t actually scoping out the privacy standards landscape. They’re avoiding broad change.
With the hurricane of compliance standards on the horizon, most businesses can see the storm coming. The way you think about and utilize data broadly is going to have to change. And, you’re going to have to invest in solutions to help you catalog and secure data across your IT architecture. When businesses aren’t ready to take this leap, it can be easy to convince stakeholders that you’ll take it “one standard at a time.” But that’s not possible.
It may have been possible a few years ago. But it’s not anymore. We aren’t saying that this solution will remain invalid. We could see a unified and transparent data privacy standard pop up that every country rallies behind. But until then, you can’t treat each new privacy standard as its own organism. Instead, you need to be thinking about beating data standards at their own game.
The Broad Approach (a.k.a “Everything You Can Do I Can Do Better”)
How do you beat a never-ending horde of standards? Remember that age-old adage “fight fire with fire.” Well, that’s the simplest and most effective way to battle data privacy. You want to take the strictest standard you have to comply with and over-comply. We like to call this “building a regulatory-agnostic framework.”
It’s the trickle-down effect of compliance. Don’t fight each mob. Fight the last boss. Build a compliance framework that treats every customer (and non-customer) the same way. This involves remediation data handling issues and reduce your overall PI surface area. And it certainly involves building broad policies that are as (or more) strict than the most comprehensive data privacy framework.
On the surface, this advice may seem altruistic. And it certainly sounds a little like a sales pitch on a “How We Treat Your Data” page. But with so many data privacy standards surrounding our current privacy environment, creating a single, holistic, and comprehensive data privacy framework baked in data governance solutions and best-in-class policies is the easiest way to logistically handle data privacy.
Of course, this is a little scary. It may mean that you have to completely rethink your architecture. It also means investing in technologies that help you enable data governance and security on a broader level. But the payoff is huge. You gain an immediate advantage over your competitors who are stuck constantly having to shift workflows when new standards hit the scene.
OneTrust Can Help
We believe that emerging data privacy standards don’t have to be scary. They’re not all unique organisms that need to be handled with care and delicacy. Here’s the truth: they’re almost all supplementary. We built our data governance and compliance solutions to go above-and-beyond the most uncompromising data privacy standards the current landscape has to offer. We’re fully regulatory-agnostic. From omnibus bills like GDPR and LGPD to local standards like CCPA, we offer solutions that help you reach full compliance — regardless of the specific data standard.
Are you interested in seeing what that looks like? Contact us.