Even though more than 700 privacy laws existed globally before the General Data Protection Regulation (GDPR) became enforceable, May 25th, 2018 was really the start date, not the deadline, for many corporate privacy compliance frameworks.
Articles 5 and 24 of the GDPR address Accountability and require that you have a Privacy Program in place. You should be able to tell the story of what you’re doing, and why you are doing it, outlining the appropriate technical and organizational measures you have implemented.
With 11 different states in the US enacting new data breach legislation so far, this year, including the California’s Consumer Protection Act (CCPA) which becomes enforceable in 2020, discussion of federal privacy legislation in the United States, and the EU’s ePrivacy Regulation set to come out of committee in early 2019 what are some strategies for creating a privacy framework that is repeatable, scaleable, and sustainable across your organization?
Create a Jurisdiction Agnostic Approach
The privacy officer or office in your organization needs to know what laws are applicable and interpret them but the rest of your organization does not. Trying to segment procedures for treating data across multiple jurisdictions or applicable laws invites confusion, mistakes and increased risk of mishandling data. Creating broad corporate policies regarding how data is collected or processed, that is not specific to a jurisdiction or set of laws can uncomplicate a very complex situation.
Best Business Practices for Creating Jurisdiction Agnostic Procedures
The strategy used by international corporations that have dedicated privacy teams, attorneys and data protection officers to oversee compliance with hundreds of global privacy laws is to:
This Best Practice is why many corporations did not implement measures to treat U.S. user data differently than E.U. user data, based on geographic location when implementing GDPR compliance measures. These same organizations have more resiliency in leveraging the measures they’ve already taken for GDPR to adapt to CCPA requirements.
Incorporating Privacy Measures Into Your Company’s Procedures
When your company takes the non-jurisdictional approach and incorporates privacy measures into your corporate policies and procedures, not only do you eliminate a lot of confusion and opportunity for mistakes, you also share the privacy responsibility within the organization. It’s not just the privacy department or officer that is sending e-mails or a set of additional rules to consider, privacy is embedded into what information is collected, how it is handled, staff receives training and meetings on corporate policies on what and how information is collected. This is the easiest way to meet the accountability requirements under GDPR.
Leverage People and Processes Across Your Organization
Leverage existing personnel and processes that you implemented for GDPR compliance across your organization to maximize efficiency and avoid redundancy in applying CCPA compliance measures. For instance, your company may have an information or tech department responsible for internal audits that you can tweak include a few privacy-related questions to audits and data reports that are already being conducted in order to gather information necessary to implement and measure CCPA compliance reducing the amount of time and expense of a separate privacy audit.
Part of maintaining a repeatable, scaleable, and sustainable privacy framework is a periodic review to ensure that your company’s actions are consistent with your stated policies and procedures, applicable regulatory requirements, and you have properly assessed and mitigated risk.