In today’s pervasive business ecosystem, many enterprises conduct business worldwide through their local subsidiaries and legal entities. Even the supply chains and delivery channels span across multiple nations. However, with a footprint across the globe, enterprises need to comply with new and emerging country-specific data protection regulations and to existing ones that are becoming more stringent to data compliance. Enterprises can no longer afford to be complacent or casual about data protection.
The complexity of diverse regulations
Enterprises operating globally may come under the purview of multiple data protection laws. Each law has its own binding requirements and nuances that enterprises need to understand and follow. Is it possible for enterprises to comply with all such regulations in a concurrent fashion? Arguably, the question has no easy answer.
Building a basic data protection framework
On the surface, the terrain may look difficult, but the situation is not as bleak as it initially appears. As we delve into such laws and as legal experts begin to dissect the clauses, common patterns begin to emerge. There are overlapping areas amongst these laws, notwithstanding the fact that each of these laws is unique in its own way. Furthermore, even for the broader commonalities, there are varying degrees of complexity across different laws. Yet, enterprises can start taking some basic measures for data protection regulatory compliance. Enterprises that have reached a certain stage of data protection maturity may have already undertaken one or more of these measures:
Establish a body for the definition, execution, periodic assessment, and governance of data protection measures that an enterprise must undertake. This body must include representatives from cross-functional units, such as Legal, Marketing, Business, IT, HR, Administration, Enterprise Risk and Compliance, Media, and Public Relations, among others.
Create a dedicated Data Protection Officer (DPO) role, reporting directly to the CIO/CEO and acting as a bidirectional conduit with the country’s central data protection agency. DPO will bear the primary responsibility of regulatory compliance.
Define sensitive data categories applicable to the business-domain of the enterprise and identify such data within the enterprise’s data stores, to help delineate the scope of the data protection program.
Establish practices of trusted data collection, such as getting explicit consent from citizens before collecting data, defining the purpose of collecting and processing data, and limiting data usage to the specified purposes outlined initially.
Establish practices of trusted data sharing, such as data masking, encryption, pseudonymization and tokenization, before sharing data on a need-to-know basis.
Establish practices of trusted data storage, such as ensuring that the data adheres to the country’s data residency requirements.
Establish practices of trusted data disposal, such as destroying the data once its defined purpose has ceased to exist and as allowed by other laws of the nation.
Offer citizens a way to have their data remain up-to-date, accurate and unique.
Define protocols for timely and transparent notification, in the event of a data breach.
Take stringent measures for protecting children’s data.
Adopting data protection, the smart way
Enterprises are now treating data protection as a business requirement since it offers a decisive competitive edge and provides long-term business benefits. In order to operationalize data protection measures, enterprises need to invest in appropriate Commercial off-the shelf (COTS) compliance software or build their own software. In either case, compliance software must be configurable, highly parameter-driven and should have the ability to define country-level and hybrid policies. For example, if two laws ‘A’ and ‘B’ have different expectations regarding the time limit (in number of hours) for communicating data breach, and an enterprise needs to comply with both laws, the compliance software must either allow the enterprise to choose a value that agrees with both laws (typically, the more stringent requirement of ‘A’ and ‘B’), or allow defining country-level policies so that the notification time remains separate for both laws. Another example would be compliance to varying data retention requirements across multiple laws.
Paving the way forward
Data protection regulations are complex and are here to stay. It would be naive to assume that implementing basic data protection measures will result in a complete coverage of all legal expectations across alldata protection laws. Nevertheless, if an enterprise has established basic data protection practices, it gets a head start with a minimum “threshold pre-compliance”, as it already has a framework. Further, this framework can be fine-tuned when a new law comes into force, or existing laws are amended. The framework will provide agility in ensuring holistic data protection compliance, especially when, the data protection regulatory landscape is becoming increasingly crowded with multiple laws.