To be or not to be - how can we deal with challenges of multi-jurisdictional data protection world

It is not without reason that the EU GDPR is referred to as the mother of all data protection regulations.?Ever since the GDPR came into force in May, 2018, there have been a plethora of data protection regulations across the world - from the capitalist and business friendly US even to the last man standing of the communist world - China!?While the purity of legal theory on the topic continues to be with the EU (or if one were to stretch to the EEA), the sheer volumes in numbers of subject matter of the regulation (the individual) in the emerging economies of Asia bear their unique challenges to the basic principles of the regulation.?This has left many a global organisation struggling to craft an approach that would keep it within the compliance requirements across its global fields of play.

The key factors that aggravate the challenges can be summarized as follows:

1. While the EU GDPR covers off a significant theatre of operations for any global organisation (arguably the EEA or EU theatre with its 27 member states), the avalanche of regulatory enactment across national jurisdictions just about got started in 2018.?Ever since, a momentum has built up with the action picking up in the US where currently, the theatre of action is at a state level with California, Virginia and Colorado already enacting regulations and the rest of the 47 states are at different states of progress. Unless a federal level law is enacted, the level of complexity just within the US is anyone's guess. In Latin America, we have regulations already in Brazil, Peru, Chile, Columbia to name a few.?In Africa, South Africa is leading the continent while in Middle East, the UAE is setting the tone.?In South East Asia, India, Singapore, the Philippines, South Korea, Malaysia and Indonesia are among the leading lights while China, Australia and New Zealand have also enacted their versions of the regulation.?Russia has long had its version of the regulation and had been one of the first countries to provide for localisation of data.?Thus, any organisation that is global in its operations has to contend with the multiplicity of jurisdictions.

2. Another important variable is the difference in requirements under each regulation and the differences can be quite stark.?If one were to evaluate just the GDPR and the CCPA (the regulation in California), the requirements bar in each of these jurisdictions are poles apart!?To name a few aspects, there is no requirement to have a Record of Processing Activities documentation in California while that is at the heart of the regulation in the GDPR.?Similarly, default opt-in is taboo under the GDPR while that is passé in the CCPA provided 'Do Not Sell' is provided in the privacy notice.?DPIA is mandatory under the GDPR for certain situations while PIA or DPIA is not even discussed in the CCPA.?Breach notification is a major requirement under the GDPR while that is not even discussed in the CCPA.?Data localisation is not even mentioned in the GDPR while that appears to be a major point of focus in the regulations of the jurisdictions in SE Asia, besides Russia and China.?Thus, getting a handle on these varying requirements is another major challenge.

3. Perhaps the most important factor is culture.?This is often overlooked and can have a major impact on the reputation or value perception of an organisation amongst its stakeholders, customers, investors and society.?Nothing affects or influences Privacy like culture and therefore, organisations having a global footprint would do well if they align their data protection play with the local culture of the geography where they run business.?Culture can be a game changer when it comes to commanding brand loyalty and one misstep can be quite costly and fatal to the leadership stakes for brands.?Stories are legion especially in the emerging economies where a lack of respect and understanding of local culture has sounded the death knell for many a promising brand - and privacy is no different.?What is acceptable in one part of the world may be strictly off limits in another part of the world due to the cultural traits at play.

So, how can one clean the Augean stables of personal data that global organisations have come to accumulate ever since the inception of the digital age without falling foul of the law??The solution and effort required is not an easy one but also not impossible to achieve.?To begin with, organisations should determine what are the red lines when it comes to processing of personal data so that they continue to retain stakeholder trust - the Higgs boson or God particle of the data protection world.?That collection of red lines should form the baseline that the organisation should look to adhere to across its field of play - regardless of whether it is required by the local regulation.?This may mean, the bar is just about right in some jurisdictions or a bit higher in other jurisdictions than that is required by the local regulation.?Once that baseline is set, the organisation should then carry out a delta analysis within each jurisdiction to determine what is the additional requirement to be addressed after carrying out a cost benefit analysis.?Such a two phased approach should hopefully inform a feasible solution to the balkanised lay of the data protection landscape and help keep sanity of the unenviable data protection teams in these exciting?times!