Privacy Babel: Making Sense of Global Privacy RegulationsCountries around the world are making their own privacy laws. How can a global company possibly keep up?
In the world of data privacy, the European Union General Data Protection Regulation (EU GDPR) has grabbed most of the headlines. But although the EU GDPR is a landmark piece of legislation and affects all companies that store or process data on EU citizens, it's by no means the only one that global organizations must now navigate.
Globally, some 65 countries have either passed new privacy legislation in the last year or have legislation pending, including China and Brazil. The impetus for the growing emphasis on data privacy and protection is consumers' widespread unease about the impact of digital business on the privacy of their data, compounded by ongoing breaches to extract personal data. Regulators and legislators across the globe are intensifying efforts to spell out requirements for collecting, storing, processing, and sharing consumer and customer data.
The specifics of privacy legislation — whether in terms of consumer rights such as the "right to be forgotten," data retention requirements, or the need for data privacy officers — vary widely by jurisdiction, along with the ability to actually enforce the legislation or regulations and impose penalties. Although the severity of fines and penalties varies from country to country, penalties have grown in size, and regulators have become more comfortable using them.
In this context, the EU GDPR heralds the most significant change for data privacy in the digital era, but not only because of the technical requirements or even the stipulation for data protection officers under certain circumstances. Instead, it's the magnitude of the penalties for violations and the expressed willingness of regulators to impose a fine of up to 4% of a company’s worldwide revenue that is grabbing business attention.
In tandem with more explicit requirements on their responsibility across jurisdictions, organizations must also conform to the expanding definition of what constitutes personal data — whether biometric data in the case of the EU GDPR or MAC addresses or cookie IDs in the case of new privacy regulations proposed by the Federal Communications Commission in the US.
In its recent enforcement decisions, Singapore's Personal Data Protection Commission has argued that context matters: violations of personal data protection requirements when the data is "of a sensitive financial nature" is more likely to draw fines. For companies looking to comply with new privacy regulations, it will therefore increasingly be expected that they can find any personal data accurately across an extended enterprise.
Certainly, many regulations and requirements will more closely resemble the GDPR's provisions as they near approval and the governing principles will become a point of comparison. However, it's important to understand that differences in approach will persist. For instance, the EU's GDPR takes a comprehensive stance across a regional block. In contrast, the US is more of a patchwork, made up of state regulations and federal regulations that are often industry specific. A clear example of this is the current battle between the FCC and Federal Trade Commission on who gets to define digital privacy for carriers.
However, the extent to which the requirements are spelled out shows a wide divergence. For instance, even in the context of the GDPR, the requirement for having a data protection officer is only mandatory when the organization is a public authority and engages in large-scale systematic monitoring or large-scale processing of sensitive personal data. Under Singapore's Personal Data Protection Act, it's up to the organization to decide whether it should appoint a full-time data protection officer or have the function subsumed under another responsibility.
So, how does a multinational company manage differing definitions of personally identifiable information and different requirements around subject access, notification windows, and processing traceability?
The first step is the most obvious one: mapping business operations to data privacy jurisdictions. And it's important to understand the underlying principles that frame the legislation: whether comprehensive, specific to an industry sector, or defined in collaboration with industry.
However, the foundation of protecting the privacy of personal data relies on consistent application of privacy policies and, more importantly, accurate intelligence on the data that is being protected. All regulatory requirements share the need to know what data you're storing, who that data belongs to, where that data is located, who is accessing that data, what consent has been approved around that data, and where that data is being used. Without that foundational knowledge, it's impossible to accurately determine whether an organization is compliant with a specific regulation. It's also impossible to govern that data. No intelligence, no control. And without control, the risk of penalties and breaches grows.
Dimitri Sirota is a 10+ year privacy expert and identity veteran. He is the CEO and co-founder of the first enterprise privacy management platform, BigID — a stealth security company looking to transform how businesses protect their customers' data. View Full Bio