The rise of digital technology continues to advance in such areas as connected health, telemedicine, combination products, the internet, and other customer and employee engagement tools. Yet, while these advancements have proven to provide incredible commercial benefits, they also pose increasing privacy risks.
The European Union’s General Data Protection Regulation (GDPR), high-profile cybersecurity breaches, and newsworthy invasions of individual personal data rights have brought privacy to the forefront for both consumers and regulators. As a result, organizations must develop policies, procedures, and documentation demonstrating global compliance that can also be operationalized by employees — all the while continuing to move business forward. This is the new future of data privacy.
The GDPR established the new standard for data protection, to include requirements of organizations to lawfully process the personal data of individuals, whether they are employees, customers, vendors, or patients. One important consideration with GDPR is that it clearly outlines the fines and penalties for noncompliance, including 4% of the previous year’s annual turnover (gross sales) or 20 million euros — whichever is higher. The fines alone have raised the awareness levels of executives and boards of directors on a global scale.
Countries throughout the world — and even states within those countries — are proposing and passing new data protection laws that borrow from, modify, and in some cases add to the GDPR requirements on which they are unofficially based. The California Consumer Privacy Act of 2018 and proposed U.S. federal data protection standards are examples where these requirements are being extended to U.S. operations.
Following are key considerations for global organizations as they focus on managing the GDPR and other global privacy regulations:
Know Your Data: The first step to any data governance effort is to better understand the landscape of information the organization collects, including the nature and source of information, location, uses, movement, and retention.
Develop a Governance Framework: Organizations should map activities to the various geographies and requirements to provide the baseline for a risk and gap assessment, as well as the project plan and tracking for activities organizations should prioritize.
Create and Support a Data Governance Office: Data privacy cannot be handled by compliance or IT alone. Instead, it should be representative of key functions such as compliance, legal, IT architecture, security, HR, and customer operations, as well as the organization’s key geographies.
Leverage Technology Where Appropriate: As new regulations like the GDPR have emerged, the practical first step has been for organizations to develop new policies and procedures, as well as document data inventories and task lists in loosely managed systems like email or spreadsheets. The future of data privacy will require secure processes around data management.
Identify Privacy as a Commercial Advantage: Much like the regulations pushed on global organizations in years past that necessitated a change in operations to meet environmental standards, the requirements of data protection can be costly, burdensome, and difficult to manage.