The global privacy landscape is fractured and rapidly evolving. From 2017-2018, there was a 10% increase in regional privacy legislation. In the modern age, the GDPR has set the baseline for data security, prompting businesses to rethink data privacy frameworks. Today, there are thousands of local, regional, and omnibus laws pertaining to data privacy. But, with the advent of new regional privacy laws, data privacy has become a regulatory nightmare for businesses relying on manual data governance solutions.
Below, we look at the regional privacy legislation landscape and discuss some of the key considerations for data governance.
Understanding the State of Regional Privacy Laws
While omnibus bills like the GDPR and LGPD receive the bulk of media attention, nearly two-thirds of countries around the world now have privacy laws. In addition, at the hyper-regional level, nearly half of the states in America have enacted their own data privacy laws.
Even from a regional standpoint, data privacy has a broad reach. Most regional privacy laws require compliance from companies that sell to consumers in specific localities. Yet, given the current state of digitalization, many companies can now engage in domestic and/or international commerce, regardless of location.
From a top-down perspective, many of these data privacy bills are meant to supplement the GDPR. However, others use completely unique data privacy frameworks — adding to the overall governance complexity. Undoubtedly, GDPR compliance poses a great challenge for many organizations. According to a recent survey, around half of EU businesses still aren’t GDPR-compliant. And, although many small businesses have spent heavily to ensure GDPR compliance (up to €50,000 in some cases), many still struggle with data security concepts like encryption.
In other words, data privacy is a challenge. When you add regional privacy laws to omnibus frameworks, the challenges multiply. Of course, it’s entirely possible to adhere to both regional and omnibus privacy guidelines. However, this requires cross-collaboration among IT stakeholders, and it also requires investments in the right technology.
Let’s look at the two most common frameworks for dealing with regional privacy laws.
Complying With Local Standards: A Tale of Two Cities
The majority of organizations fall into two categories. They either try to comply with each standard using disparate policy frameworks, or they take a stringent approach to data privacy.
The Granular Approach (a.k.a “The Logistical Nightmare”)
For some organizations, this proliferation of regional privacy laws can be intimidating. So, they look at the current data privacy landscape and attempt to identify the most critical standards. Then, they work to comply with those standards only. The rationale is this: the fewer privacy standards to follow, the less challenging compliance management becomes.
However, there are some limitations to this method. For starters, virtually every business (regardless of size) engages in commerce across borders. In fact, more than 58% of small businesses now have overseas customers. And, the more regions you do business in, the more data privacy standards you have to comply with. This means the constant adjusting and reframing of internal data governance policies.
Even if you’re one of the few businesses that only operates domestically, you still have to comply with state-by-state standards. There are now 11 state data privacy laws in the United States. And, on the federal level, bills have been advanced to create a national data privacy standard. In February 2020, Senator Kirsten Gillibrand introduced the Data Protection Act to address the growing data security crisis in America. And, in March 2020, Senator Jerry Moran introduced the Consumer Data Privacy and Security Act of 2020 (CDPSA) for the same reason.
In a nutshell, the granular approach only works for small businesses that predominantly engage in domestic commerce. Apart from this, the practice of creating disparate policies around distinct privacy laws would completely disrupt daily workflows.
You would experience near-constant business interruptions, reduced productivity rates, and decreased operational efficiency. But, let’s cut to the chase. The majority of businesses taking this stance do so to avoid broad changes.
With more compliance standards on the horizon, most businesses can see the storm coming. They understand that investing in solutions that help catalog and secure data is critical. However, when businesses aren’t ready to embrace transformative new technologies, it can be easy to convince stakeholders to adopt “one standard at a time.” This piecemeal approach isn’t ideal.
Certainly, we may see a unified data privacy standard every country rallies behind. But until then, the granular approach does little to address the challenges inherent in statutory overlap. In light of this, a broad approach may be the answer.
The Broad Approach (a.k.a “Everything You Can Do I Can Do Better”)
What’s the winning approach when you’re faced with a never-ending array of standards? Remember that age-old adage “fight fire with fire?” Well, that’s the simplest and most effective way to navigate the data privacy landmine. Take the strictest standard you have to comply with and then exceed that standard. We like to call this “building a regulatory-agnostic framework.”
It’s the trickle-down effect of compliance. Don’t engage every mob: Find the overlord and tackle him. Build a compliance framework that treats every customer (and non-customer) the same way. This involves remediating data handling issues and reducing your overall PI surface area. Most importantly, it involves creating broad policies that are more stringent than the most comprehensive data privacy framework.
On the surface, this advice may seem overly simplistic. It may even resemble a salesy “How We Treat Your Data” spiel. However, in light of increasing cyber breaches, creating a single holistic data privacy framework with best-in-class data governance solutions is critical to business viability. In the era of COVID-19, the HIPAA Breach Reporting Tool at the Department of Health and Human Services site has reported an uptick in data breaches. In all, there are now 549 breaches under investigation by the Office for Civil Rights. Thus, data security is more crucial than ever.
Of course, creating a broad framework may seem daunting. It may mean that you have to completely rethink your IT architecture. It also means investing in disruptive technologies to enable data governance and security on a broader level. However, the rewards are immense. You gain an immediate advantage over your competitors who must scramble to shift workflows every time a new privacy law hits the scene.
Work With Integris to Comply With Regional Privacy Laws
At Integris, we believe that complying with regional privacy laws shouldn’t be a burden. Here’s why: they’re almost all supplementary in nature. To help, we built our data governance and compliance solutions to go above-and-beyond the most uncompromising data privacy standards the current landscape has to offer. In short, we’re fully regulatory-agnostic. From omnibus bills like the GDPR to local standards like the CCPA, we offer solutions that help you reach full compliance — regardless of the data standards.
If you’re interested in seeing what being a secure organization looks like, contact us for more information today.