While the privacy laws have been present in around 130 countries worldwide and amount to approximately close to 500 laws, companies have a lot of work to do to stay compliant with the new privacy law that was brought into force recently in some countries. It has become a very cumbersome task to keep track of the latest development in privacy laws since the sector has been seeing new privacy laws ever so often. But this only means that countries and regulators are moving in the right direction to improving and maintaining the privacy of personal data.
How Do We Keep Up?
The EU GDPR was not the first privacy regulation on the books but was the first major regulation that brought comprehensive oversight on privacy needs. Other regulations like the CCPA followed and were quite similar to GDPR but still being different in their target regulations. An organization that is spread across multiple locations across the globe and provides services to a vast number of clients across countries need to stay up to date on their privacy compliance or have to be subject to heavy fines and lawsuits. One approach is to follow the most stringent regulation so that compliance with other regulations might be easier. Most of the time, this approach is easier said than done whereas even after three years of the GDPR being enforced, a lot of companies are struggling with staying compliant.
Steps to Ensure Compliance
- Increase awareness across the business units in the organization
- Periodic audit of all the personal data
- Regular updating of the privacy notice
- Review procedures supporting individual rights and data subject access requests
- Document all the legal basis for processing personal data
- Establish procedures to detect, report, investigate and mitigate a personal data breach
- Review process around Data Privacy Impact Assessments (DPIAs)
- Appoint a Data Protection Officer (DPO)
- Review the data that you hold on children
- Review how you seek, and record consent
At GS Lab | GAVS, we take a holistic approach to staying compliant with emerging privacy laws. It is important to have a solid understanding of the data flow of any data stored or processed within the organization. This provides a strong foundation to navigate through managing and implementing complex privacy measures. GDPR is undoubtedly one of the more comprehensive regulations but is also vague. This leaves most organizations having to do the guesswork on interpreting the regulation since it is unchartered territory for most. Having a robust legal counsel might be one part of the solution to help with law interpretation and avoid speculative approach to the interpretation of the regulation too. To go beyond a simple one-size-fits-all approach, a company’s privacy leaders must have a strong understanding of the many different privacy laws of relevant jurisdictions. Key areas of difference to focus on include what constitutes sensitive data, limits on automated data processing, legitimate bases for processing data, and the rules of consent, among other things.
These solutions might not necessarily ensure robust compliance, whereas continuous improvement and innovation will. An organization must not only strive for external business growth but also look internally to achieve that goal. It is important for a company to encourage innovation and take a holistic view of what would be the best approach to implementing a particular regulation. This will give rise to new ideas and keep the company fueled with what is necessary to achieve the next business goal.