Why a Global Approach to Data Protection Compliance is a “Best Practice”
Instead of creating data protection requirements that apply to organizations operating within a specific border, the new generation of data protection regulations sweeping the globe apply to the citizens of that region.
And, though this difference is subtle and even a little impractical, it means Data Controllers and Data Processors have to think differently about their approach to compliance and contracts.
For example, a multinational corporation headquartered in Houston would have to comply with the GDPR not by virtue of its location, but because it controls personal information belonging to its EU employees and customers. Furthermore, and too often overlooked, because the GDPR requirements also extend to that multinational’s Data Processors, the data storage, shredding, computer recyclers, billing services, HR services, etc., must also be compliant with the GDPR, even though their trucks will never leave the Houston metro area. To put a finer point on it, if the Data Controller’s service providers’ policies and contracts are not GDPR compliant, then the Data Controller itself isn’t, either.
The more practical and effective solution, therefore, is for Data Controllers and Data Processors to structure their data protection compliance policies and contracts to meet ALL data protection compliance requirements globally, or rather, to meet the compliance standards considered to be the highest common denominator among all the global regulations.
If, at first blush, this approach seems unnecessarily onerous, it is not! Just the opposite, in fact. Creating and implementing the new universally-compliant policies and contracts can actually be a very manageable process with the appropriate regulatory acumen and a balanced, reasonable approach.
And the practical benefits of a global approach to data protection compliance makes sense in other ways, too.
For instance, by defaulting to the highest common denominator, both Controllers and Processors are fully prepared for the more stringent regulatory requirements that will inevitably emerge in jurisdictions closer to home. If it’s coming anyway, why not get ahead of the curve?
And, from the Data Processors’ perspective, a global approach can be a market differentiator. As such, it can be used to attract and keep clients, which translates into faster growth, more loyal customers, and higher profits.
The reality is, due to the way in which data protection regulations are now written, focusing on the rules in one jurisdiction is no longer a viable strategy. And while it does not necessarily mean that ALL provisions of a remote regulation be incorporated, it does mean that those provisions can’t be ignored. The key is knowing how to navigate and being prepared for likely eventualities.
© 2023 Privata Vox, LLC - All Rights Reserved
Bob Johnson, CSDS, CIPP/US, is the Principal Advocate at Privata Vox, LLC. Read more about his long career in privacy and data protection policy development.
Scan OR Click QR Code below to automatically add to contacts