After two years of GDPR enforcement being in effect, global privacy regulation compliance is still top of mind for many businesses. New privacy regulations continue to emerge all over the globe from California to Brazil to India and beyond. These laws are making privacy standards stricter and it more complex to manage global privacy programs. As businesses adapt to meet these new standards, let’s take a look at how GDPR and its main themes continue to shape the privacy landscape.
Immediately after GDPR went into effect, many businesses were still unsure if they were in exact compliance with the regulations, and adopted a “wait and see” approach as to how and what was going to be enforced by the individual Member States. They didn’t have to wait long, with France being one of the first to impose the highest data protection fine in history against Google (early 2019), and Portugal following suit by fining a local hospital for multiple violations shortly thereafter.
Most Member states, such as Austria and Belgium, adopted bills with straight-forward implementation of the principles that GDPR demanded. However, in some countries, such as Germany, the legislators took the opportunity to expand on GDPR and imposed additional stricter regulations.
While the GDPR only applies to companies doing business in Europe, it has also inspired data privacy regulations in other parts of the world. To name just a few, the California Consumer Privacy Act, Australia’s Privacy Amendment, and Japan’s Act on Protection of Personal Information all echo protections laid out in the GDPR.
While the specifics of each piece of legislation are by necessity different in each locality, common themes are included in the majority of these pieces of legislation.
Common identifiable threads and themes in Global Privacy Legislation (a non-exhaustive list):
- Consent Management: If relying on consent to process data, the controller must keep documentation of that consent and be able to retrieve it if data protection authorities ask for or audit it. This means that organizations must: (1) identify and map the context of consent, (2) capture a record of initial consent, and (3) document and manage consent across channels and time.
- Customer Data Access and Retention Management: In most organizations, customer data lives everywhere. So how is it possible to synthesize all that data into something a customer can access, read, and remove at will? Companies must: (1) strike the right balance with data retention and retrieval processes, (2) create a system for organization members and customers to track data access requests, (3) remember the unstructured data, and (4) optimize data governance for compliance, present, and future.
- Incident Management: The ability to scale quickly and address data subject concerns effectively during an incident is key for all organizations. Organizations must anticipate breach risks and organize plans and resources in advance. Minimum elements include (1) Establishing notification processes and infrastructure, (2) promptly addressing incident-related customer and regulatory inquiries, and (3) validating compliance through audits and resolving any identified gaps.
How GDC can help you stay compliant?
With GDC’s “Data as a Service” Identity Verification model, all personal data is handled in compliance with the relevant data protection regulations. Each authoritative reference data source is qualified for identity verification use, reliably updated and maintained by GDC’s data consortium partners and is accessible through a single API.