The key to a successful global data protection programme

Intro

Privacy and data protection laws seem to be popping up everywhere. This raises the quesiton: how can businesses react to the proliferation of data protection norms? Many of these draw inspiration from Europe and refer to the fair information practice principles. Some, take a different approach in significant ways (for example CCPA ,in the way they define the households or protect only California Residents). Yet, even those that are similar, differ to a larger or lesser extent. This poses a challenge for organisations that must comply with the multitude of laws across the globe. This article explores how an organisation can arrange its global data protection programme, so it allows the organisation to navigate different legal requirements and various consumer expectations in an efficient and business-friendly manner.

The proliferation of data privacy laws around the globe

I was recently asked by a colleague from South Africa to speak about GDPR and the new South African Protection of Personal Information Act (POPIA). Both laws, just as others, encourage companies to respect the privacy principles (lawfulness, fairness, transparency…). So far so good, yet, when digging into the details, I was baffled about how to best manage compliance with both: there are significant differences in the definition of data subjects, as POPIA include legal entities, or in the understanding of what is a records of processing activities. This made us wonder how best to align these two worlds. 

However, even locally in Europe, meaningful differences remain. While GDPR applies to living individuals, in Denmark as long as you are dead for less than 10 years your data is equally protected. On the one hand, a curious example to raise in a blog article, on the other a practical problem: if you operate a large cross-European customer database you better be aware that in Denmark, you’ll need to account for that fact.

The Europeans will proudly speak about data protection being a great export good and the effect of the EU unification on global lawmaking. What I observe is that we are moving from seeing data protection and informational privacy only at a high-level human right aspect, towards recognising it as a procedural right that requires specific documented compliance efforts in many legislations around the globe.

Consequently, data subjects receive a similar level of protection and at least on a principled level, the various laws give them some control over how their data is processed. However, when it comes to the practical aspects of implementing data privacy, the laws still expect the fulfillment of similar, but not the same, duties.

Consequences for businesses

Similar-but-not-the-same rules have significant consequences for businesses. While the business may have a true commitment to the protection of individuals data privacy, it will be exposed to the different duties as required by local laws – and those differences rarely (if ever) result in increased protection of the individual. Rather, they breed a range of formal duties and small differences stemming either from local drafting, or local legislation.

The consequence? Companies that are global ask themselves “how many data protection programmes do I need and how many DPOs should I hire?” An almost historic example of that is the variety of different data breach obligations in different states in the U.S. However, the struggle is real also for obligations such as records of processing activities, or processes for the fulfilment of data subject rights.

Local compliance through a global data protection programme

Our advice is to apply the Pareto principle – also known as the 80-20 rule – when designing your data protection programme The foundation should focus on sound governance, commitment to principles and a culture of respect for individuals and their data. This will allow you to integrate some of the most important aspects of privacy into the organisation. Especially because the concepts such as transparency, or fairness, or even privacy by design (or data protection by design if you prefer) are seldom specified by the authorities.

With this strong foundation constituting the bedrock of the global data protection programme, the organisation can next look at local differences – and seek to adjust where necessary. 

From a governance point of view, this typically means a data protection and privacy policy that establishes the organisation’s privacy commitment (and vision should there be one). It will also on a commitment level establish some rules such as having a legal basis for your processing, maintaining privacy documentation, or regulating relationships with 3rd parties. 

Those obligations shape a privacy program on a general level.

The detailed day-to-day operation is better handled through Manuals, or Standards Operating Procedures (SOP), and mandatory documents that the organisation needs to maintain (such as Records of Processing Activities). 

It is at this level that the organisation must decide how to handle issues uniformly, and where to differentiate. In principle three options are possible:

– The highest standard approach: assuming that compliance with what is seen as high watermark legislation “automatically” means compliance with all the other laws;

– A local approach where each of the jurisdictions receives its own local SOP that provides its own processes and assigns its own responsibilities;

– A mixed approach (or 80-20 approach which I already mentioned we favour) that is establishing one course for all organisation but allows for local differentiation based on risk. 

Why based on risk? Because the organisation must actively answer whether any divergence from its global standard makes business sense and/or exposes the company to risk. As an example, let’s say that the organisation established in Europe has chosen GDPR as its standard and has created a process to answer data subject requests according to the GDPR requirements. 

Now it looks into handling personal data of local branches (who are the data controllers). It can ask itself questions such as:

– Should we give individuals more rights than the specific local legislation does? 

– Does it make sense to extend the deadline for answering the request to align with local legislation? 

– Can we get away without fulfilling specific types of local requests? 

The answer will often be based on specific cultural circumstances, the strength of local enforcement, or the cost of implementing a separate process. To be more precise, we are speaking about in the worst-case scenario of implementing 20 separate processes if required. As such the complexity can explode, if the company is present in numerous locations.

Main points of contention in local legislation

The idea of a globally unified privacy programme sounds easy enough, but we know from experience that certain aspects typically introduce complexity. Some examples of those are below:

Legal bases (and especially consent)

The principle of legality obliges the controller to obtain a legal basis for each processing purpose. This principle in some form is present in most legislations, yet it differs with the list of legal bases that are provided, but also with the way the bases are implemented. This is most visible with the concept of consent. 

Europe has evolved away from consent as an omnipresent sign-off and a mandatory prerequisite of processing. Instead, data subjects often are informed of processing that is based on other legal grounds. When consent is sought, it prescribes freedom of choice and an understanding of alternatives. 

Applying and enforcing the GDPR consent in other geographies, or alternatively completely moving away move away from the use of consent in these geographies may prove immensely difficult. This is for example the case in the UAE – consents are widely collected, even though they are sought more in the form of acknowledgement or acceptance of broader terms of use, and the choice individuals have is limited. 

However, the controller is here caught between local legislation that often requires what it deems to be valid consent, and the legal culture which finds having a signature useful proof.

DPO

The function of the Data Protection Officer originally stems from German Datenschutzbeauftragte who allowed the company to avoid registering with the local authority. The role was brought into the company as a representation of the interest of the data subject. The function was introduced in GDPR, and many local legislations have followed suit. Yet, the preconditions towards the role can be different. Not all of the laws allow for a Group DPO appointment, or an external DPO (Egypt is an example of the latter). Some data protection acts, such as the KVKK in Turkey, require a locally registered individual. Finally, Israel introduced a Data Protection Officer who focuses more on data security and is obliged to be dependent on top management (instead of the famously independent function in Europe). 

Once again, an organisation with a wide global footprint may find itself facing a list of – on the surface – identical requirements, but with very different tactics required.

Data breaches

My last example of the disparities that a global data protection programme will need to consider, is the handling of data breaches.

Here the most important differences can be recognised on two dimensions:
1) when does the controller need to notify the authorities, and
2) how quickly must they do so.

The first one focuses on the understanding of risk. Does every breach need to be notified? Only those that entail a high risk for the affected data subjects? As mentioned, the requirements for controllers vary significantly across geographies – from clear requirements for notification to both authorities and data subjects to no notification requirements at all. This may be further complicated by the fact, that several countries have industry-specific (e.g. bank, telecom) regulation of notification requirements.

The second deals with the notification deadlines. Those span from as soon as practicable, or without undue delay, to 72 hours and so on. 

The distinctions in the regulation of data breaches across geographies make it difficult to apply one centrally defined standard operating procedure. While fundamental internal data breach management capabilities and readiness obviously make sense from a business perspective – even in the absence of external legislative requirements, it may be much harder to centrally define external standard procedures, e.g. towards authorities. 

Conclusion

Global privacy programmes are difficult to design. As the capabilities and expectations of authorities, as well as the maturity and awareness among consumers still varies significantly across geographies, it will be prudent for large international organisations (and today those are not only the large multinationals), not to attempt to design a one-size-fits-all data protection programme. Large international organisations should focus on establishing central principles, while at the same time allowing for local adaptation to specific national requirements and consumer expectations.