Strategies for complying with multiple data privacy regimes

Your company will be held to treating the personally identifiable information (PII) it collects with respect, storing it securely, and not using it for purposes other than what was disclosed.

These are common-sense data privacy protections that, coincidentally and conveniently, are also requirements of laws like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Some data privacy laws require disclosures to customers and a simple and convenient way for users to request information about them that a business has collected. These requirements are more onerous but may be necessary to continue doing business in certain jurisdictions.

At Compliance Week’s virtual Cyber Risk & Data Privacy Summit on Wednesday, a panel of experts offered their advice regarding the current global data privacy landscape. The session featured Odia Kagan, partner at Fox Rothschild and chair of the law firm’s GDPR compliance and international privacy division; Rian Kinney, chief executive of eCommLegal, a vendor that creates customizable contracts for clients; and Jodi Daniels, CEO of consultant Red Clover Advisers.

While complying with multiple data privacy laws might seem to not generate enough return on investment, consider the following points discussed during Wednesday’s session:

• The number of global data privacy regulations is only expected to increase. Beyond the GDPR in the European Union, there are comprehensive data privacy laws in Argentina, Australia, Brazil, Canada, China, Hong Kong, New Zealand, Nigeria, Singapore, South Africa, South Korea, Turkey, and several other countries, according to a chart maintained by the International Association of Privacy Professionals. In the United States, there is no federal data privacy law, but the CCPA will morph into a stricter legislation called the California Privacy Rights Act (CPRA) in January 2023. Colorado and Virginia also have data privacy laws that will take effect in 2023.
• Not every data privacy law applies to your business, but it is likely some do. Learning which jurisdictions your business operates in is key to navigating new mandates. Figuring this out might also necessitate determining which jurisdictions apply to your largest and most important clients and who will want any regulated data your company collects or stores.
• Understand the data you need to collect to meet your business goals. Is it mission critical to store the PII your business is collecting? There should be a reasonable business purpose. There might also be a time consideration; is there a point at which the data is no longer useful and should be deleted?
• How secure is the data your business collects? Can your company minimize the data, perhaps by anonymizing it in a way that is still useful to your business but protects the data from being compromised? From which jurisdictions is your business collecting PII?
• Create policies and procedures that allow for the generation of PII that is either consented or aggregated in a compliant manner. It is advisable to start small—say, by launching a compliant data privacy product internally or with a small cohort of customers—and then scaling up as you go. Using a so-called “privacy-by-design” model on a small product can form the framework for subsequent larger, more complicated endeavors. As you scale up, prioritize consumer-facing products and focus on PII and other sensitive customer information that is regulated by the privacy laws in that jurisdiction.
• Create an easy-to-understand and transparent user experience. With that as a foundation, your business can build a trusted brand image with users that have confidence in your handling of their data.

GDPR fines surpassed $1 billion in 2021, and it’s only a matter of time before the United States gets its data privacy house in order. Complying with multiple privacy laws might be cumbersome, but it’s quickly proving to be good business.