The General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Act on Protection of Personal Information (APPI) and the Personal Data Protection Act (PDPA) are just a small fraction of the data privacy legislation from around the world. If your organisation is located in a specific country and your market is purely domestic, then you only need worry about one set of rules, right? Wrong! The US alone has upwards of a dozen different laws and this number is rising both significantly and very quickly as more states realise that a data privacy law is needed in their territories. Further afield, other countries would be typically subject to both a national law and any that are flowed down to them, as in the case of any EU nation where GDPR applies universally. So, what if your market isn’t domestic (as is unlikely in 2020)? How do you ensure you’re in compliance?
Phase 1: Create a Compliance Matrix
The first step any compliance team needs to take is draw up a list of all geographies in which you target your products or services. In the case of the US, be sure to specify whether it’s a particular state or nationwide. When you’re doing this, ensure you think longer term and not just today, so include emerging markets where you think you might like to break into. Now that you have a good understanding of where you’re selling, you can begin to build a matrix of those countries and both legal and regulatory frameworks which you’ll need to abide by. Again, in the case of the US, you’ll need to list the laws that apply to the states in which you’ll trade, e.g. CCPA for CA, Consumer Information Protection Act for OR, Standards for the Protection of Personal Information of Residents of the Commonwealth for MA and so on.
Phase 2: Expand Your Matrix to Include All Business Activity & Assess Your Current Processes
At this point, you’ll know where you’re trading and the laws which apply to you. That’s a good position to be in, but there’s more. You should expand your matrix to define how these rules apply to your business. This will enable your organisation to see, at a glance, what the obligation is and how it’s being addressed or mitigated. You may find from doing this exercise that you’re trading in a country with specific data localisation laws that you need to be aware of. There are an increasing number of countries where this is happening. Currently the top three are China, Russia and Vietnam. If you do business in these regions, there are yet more obligations to note. You will very quickly see how that matrix is becoming invaluable.
Once the matrix is complete, an assessment will need to be conducted. You’ll need to ask questions such as:
- Do your current processes take into consideration these requirements? If you’re trading internationally, you’ll almost certainly be utilising a CRM system so there’s going to be questions around that.
- Have you restricted access depending on derogations?
- Where there are local laws prohibiting non territory exports (i.e. Russia), have you put a CRM instance there and modified data flows for region specific information?
Phase 3: Implement New Data/Information Security Processes & Train Your Employees
Now you know what needs to be done comes the somewhat more challenging phase of actually implementing it. How complex a task this is will depend greatly on how much data you have, how many countries you’re present in, how entrenched current systems and processes are etc., but I would say this part of the project will take some time. In order to maximise efficiency, use the time wisely to train the rest of your organisation in these requirements. Salespeople, for example, will be firmly focussed on selling the right product or service to the right customer for the right use cases and an obscure caveat buried in a foreign legal paper won’t be at the forefront of their mind. Tailor the training sessions per department or role type and include examples that they can relate to. How these things impact the daily lives of that sales rep will, for example, differ to that of a finance person.
Upon completion of all of this, your program maturity level will be high, and your business will be in a position of power. You can use your compliance, awareness, training schedules and processes as a key differentiator in commercial discussions and give you a significant advantage over that of your neighbour in a highly competitive marketplace.
Of course, compliance is not a one-time effort. It’s about the journey of not only ascertainment but also retainment. Your business needs to work on maintaining standards, policies and strategies to keep the accolade. Your legal and/or compliance team(s) should be keeping up-to-date with changing laws in the regions defined in your matrix. These will impact how you conduct business in those geographical areas and could require changes to your technical and organisational controls.
A great deal has changed over the last couple of decades and both the risk landscape and business operating reach have increased exponentially. Taking the steps outlined here provides a roadmap to staying on top of it all and keeping up with compliance.