In these tighter regulatory times companies are being asked to innovate in a smarter and more considerate manner We've teamed up with the Data Protection Network and OneTrust for a new report which outlines how companies ought to approach this ...
As a data protection lawyer working with some of the world’s biggest companies, Robert has examined GDPR’s influence on laws in other parts of the world. Not only has it influenced California and Brazil’s new laws, he says, but Bahrain, India, Kenya and South Africa are all implementing similar legislation which grant enhanced rights to individuals and holds businesses more accountable.
Yet, before we consider GDPR as a ‘Big Bang’ moment in the evolution of global data protection regulations, there are other factors in play.
“Whilst GDPR seems to set the standard, we should not forget that history plays a large part in the spread of privacy laws given that countries like France, Spain, Portugal and the British Isles have been so influential in other parts of the world for hundreds of years,” said Robert.
“The Data Protection laws in South Africa, the Middle East, Canada and much of Asia are heavily influenced as a result of the British Commonwealth and former British rule.
“It is no surprise that the new Brazilian law looks similar to the Portuguese data protection law and equally that the laws in other parts of South America are based on Spanish data protection law. Similarly data protection laws in North Africa and in certain parts of Asia are heavily influenced by French privacy principles.
Download our free in-depth report: ‘GDPR: One Year On’ which explores the impact of GDPR by drawing on insights from key rulings, the expert view of data protection consultants and the first-hand experiences of organisations which use data extensively.
Global data protection principles are also based upon the OECD (the Organisation for Economic Cooperation and Development) Guidelines on Data Protection first published in 1980 and updated in 2013, he says. Its fair processing principles and guidance in international data transfers have influenced data protection laws around the world, including the US Safe Harbor programme and Privacy Shield.
Meanwhile, the Council of Europe Convention 108 (not to be confused as an EU institution) is another international accord which provides guiding principles on the protection of personal data. Its members include Russia, Uruguay and Mauritius and it has recently been updated to bring it in line with GDPR. As a side note, this could also aid the UK post-Brexit as it attempts to avoid restrictions on the flow of data outside the European Economic Area, as reported on iapp:
“The European Commission sees the protocol as a way of encouraging “third countries” to adopt the basic tenets of the GDPR. This could be particularly interesting for the U.K., which will become a third country after Brexit.”
As a patchwork of new global data protection regulations unfold, there are clear trends emerging. Yet when it comes to data protection law, the devil is in the detail. Companies which operate across borders must ensure they are address the issues raised across different legal territories.
Approaching a universal data governance solution
As global data protection regulations continue to evolve, there remains some uncertainty for data driven organisations. So how should they plot a course through the stormy seas of legislative change?
GDPR makes a pretty good compass. It’s arguably the strictest and most far-reaching data protection regulation passed to date. Indeed, Robert Bond suggests that multinationals are likely to take a “one size fits all” approach to global data protection compliance – and that GDPR coupled with the draft law in California is likely to set the standard.
Ian Evans from OneTrust agrees:
“Post-May (2018) we’ve broadened our horizons to consider it from a global privacy perspective because what we learned running up to May is that GDPR isn’t just for European companies. When you start looking at GDPR from a global perspective it’s quite a leveller in terms of a regulation.”
As someone who helps companies meet legislative requirements across different jurisdictions, Ian sees the potential pitfalls.
“Organizations will have tentacles out into all sorts of markets and they’ll have also partners and third parties operating in different markets. So understanding how your business runs from a data-driven perspective becomes key.”
In other words, though your own internal processes may be sound; your third-party data service providers may be breaching data protection laws – and they’re ultimately your responsibility. Ensuring their compliance standards is just as important as securing your own.
“That also means that there are probably other regulations you didn’t even know that you were needing to apply with. If you’re a true global multinational company you’re already thinking about Brazil and the California Consumer Privacy Act and what’s going on in India and Australia and New Zealand.”
But, he adds, smaller companies who don’t see themselves as global may be blind to the wide network of data protection regulations that may apply to them – particularly if they use third party data providers. It’s for this reason that OneTrust’s privacy platform allows users to check their compliance standards globally against the different regulators across the globe.
“If the world went with a standard and we understood what the derogations were that would be a much easier place for us all to reside because then we’d know what the baseline was. Right now in today’s uncertain world we don’t know what the baseline is.”
We don’t have a crystal ball but…
Data protection laws will continue to evolve and their objective will be to empower the consumer. Legislation will be developed in response to society’s demands and expectations. In other words, ethics matter.
That means having upmost respect for the consumer, by:
- Protecting the individual’s right to privacy
- Making the individual aware of how their data is being used
- Giving the individual greater control over their data
- Ensuring the individual’s data is stored securely
A ‘data-centric’ approach is required in which organisations take ownership of their data by having a strong data strategy and governance framework in place. That way, any new legislations that crop up won’t cause undue concern because the processes are already in place. It’s about getting ahead of the game instead of playing catch-up because we know where the regulatory landscape is headed – it’s towards empowering the consumer’s rights. Indeed, research by Marketo found that 72 per cent of organisations that put the customer at the heart of their compliance strategy expected to exceed target this year.
The delayed ePrivacy regulation provides a perfect example of why a proactive strategy matters, as Ian explains:
“When we look at the ePrivacy directive a lot of companies are saying ‘Well I’ve got ages to wait for that yet’. But why wouldn’t you get ahead of the curve? We know it’s ninety-five per cent where it’s going to be. There’ll be fine tweaks but it’s not really going to massively change from the documents that have been published already.”
For data-driven organisations, it may be better to build a watertight ship than wait to mend the breaches as they occur.
Scroll down to download our free in-depth report: ‘GDPR: One Year On’ which explores the impact of GDPR on marketers and data driven organisations. You’ll learn about good practice, bad practice and how those working in the firing line of the legislative crackdown have handled the challenge.
Please register below to unlock this article.
An email will be sent to you with your membership details.