Operationalizing Data Protection & Privacy: Lesson 2

Privacy Principles, Legal Frameworks, International Data Transfer & Managing to Multiple Jurisdictions

Disclaimer:? The views and lesson here are mine alone and do not represent my employer, the LEGO Group, or previous coursework taught at Cleveland State University School of Law.

First I want to thank all of you that have reached out to me about this course, as it has found a nice sized audience in week one.? It’s encouraging to know that there is a need for this content, and I’ll continue to post a weekly lesson according to the syllabus.

Last week we began our course with the basic concept that Data Protection & Privacy (DP&P) is first a legal compliance obligation, and further explored the relationship between compliance, trust, and risk. So, for our second lesson, it makes sense to take a moment to expand our understanding of what legal compliance means to managing a DP&P program, and identify some of the risks and strategies for effectively operationalizing global DP&P regulations.??

So let’s begin.?

1. As mentioned last week, achieving 100% legal compliance to all the global DP&P laws impacting your organization is largely a fool’s errand.? It can feel like playing whack-a-mole, especially given the United State’s current approach requiring us to manage an ever increasing number of state regulations. With more and more countries leaning into comprehensive DP&P laws, and the US’s patchwork compliance framework, the global legal landscape isn’t going to simplify any time soon.??
2. If you’re a global company (particularly one with operations in the US), you’ve most likely already addressed GDPR and the California Consumer Privacy Act, and maybe cherry picked a couple of additional key countries to more fully understand all their DP&P laws.? But you are probably holding your breath a bit elsewhere.? It can often feel like you’re perpetually treading water and would need five full time resources to maintain a comprehensive and text book understanding of all the world’s DP&P regulations.
3. Often forgotten in the DP&P compliance discussion are the small to mid-market companies.? There’s only one Meta, with 3000+ privacy professionals and a massive budget for DP&P, and more likely than not, in smaller organizations there’s probably only one or two professionals responsible for managing the company’s DP&P program (or it could even be that there is one individual with part time responsibility).? In this case, these organizations don’t have the luxury of devoting hours to checking off dozens of DP&P compliance boxes to countries around the world.
4. A more effective place to then start with building and maturing a DP&P program is in developing core program principles, and a natural model is the Fair Information Practice Principles (FIPPs).? If you’re unfamiliar with the FIPPs, you will recognize that many of the world’s DP&P regulations take root in these basic principles, which are commonly viewed as transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, access and amendment, security, authority, and accountability and auditing.
5. It’s important to understand what these principles mean and how they become?operational. For example, privacy notices and policies directly address the principle of transparency, and individual participation takes regulatory form in consent laws and data subject access rights.??
6. Some of the biggest conversations in many organizations are around data minimization and purpose limitation, as the business often wants more personal data and to find new uses for it.? If you’ve incorporated strong DP&P program governance aligned with the FIPPs though, you can at least point to these principles in order to push back on your data hungry colleagues and work to strike the right balance.
7. If you incorporate the general ethos of these core principles into your DP&P program though, you’ll be much further along in your compliance posture than you realize. It might not address every compliance requirement, but it will put you on a road to defensible compliance.
8. However, this approach doesn’t excuse the intentional dismissal of specific regulatory requirements.? For example, US State laws and the EU’s ePrivacy Directive requires companies to maintain strong data subject consent by implementing cookie banners and respecting an individual’s choice.? Ignoring this requirement will quickly earn the ire of enforcement agencies, and you should develop a strong process and technical solution to maintain compliance.
9. We also must ensure we’re not pursuing check the box compliance activities at the expense of driving real value in the organization. We must balance compliance processes and documentation with shifting privacy further left into the organization by engaging as business partners and not just compliance generals.
10. We’ve seen a lot of tail chasing over the last few years as it relates to compliance with international data transfer rules.? Unfortunately, our profession has been caught in the cross hairs of a larger geo-political conversation around surveillance and governmental access to personal data, and many of us spent years figuring out what’s necessary to comply with the various Schrems decisions and how to most effectively utilize a Transfer Impact Assessment.
11. The still relatively new EU-US Privacy Framework appears to have brought stability to international data transfer requirements, and we as organizations can collectively move resources to more valuable compliance activities such as minimizing and protecting personal data.?
12. But that doesn’t mean we can also just stop evaluating our international transfers.? Going back to the first lesson, it’s critical to understand where your organization’s personal data is collected and processed, and you should maintain some inventory and basic risk assessment for these transfers.? Now might also be a good opportunity for large global companies to revisit Binding Corporate Rules as a transfer mechanism and DP&P framework, particularly those that want to over-index on trust.? I wouldn’t be surprised if we see BCR applications pickup in 2024 and 2025.
13. There’s some uncertainty around protectionist countries like China and Russia that have strong data localization laws.? While Russia may not be as pressing of a compliance priority as it was before the war in Ukraine (as many western companies have left the country entirely - taking their personal data with them), China’s Cybersecurity Law and Personal Information Protection Law have required global companies to invest time and resources to ensure compliance, which is still largely ongoing.?
14. The underlying geopolitical tension between China and the west should not be discounted either, as any significant investment in compliance can be compromised based upon the whims of the People’s Republic of China.? So far, there does seem to be a refreshing pragmatism by China's regional enforcement agencies, but there are real concerns about what could happen to a company’s personal data if China forcibly annexes Taiwan and simultaneously limits the world’s access to all data within its borders.? Companies with sizable business in China must develop business continuity plans for such scenarios.
15. While the shifting regulatory landscape can be daunting, it doesn’t need to be. By developing an internal framework rooted in the FIPPs (or a derivative thereof), you will inevitably comply with a large percentage of DP&P laws.? If you prefer, you can also utilize the core principles of GDPR and CCPA and feel reasonably confident in your DP&P program globally.
16. But you must allow some room for variance.? You need to have a clear understanding of where the second tier of regulatory risk is the greatest, what those regulations uniquely require, and develop a simple approach for compliance in these jurisdictions.? Failing to at least do some of this will leave your organization susceptible to increased scrutiny and potential regulatory enforcement.?

That's it for Lesson 2. Please continue to share with your network and post your thoughts or comments. And thanks again for the continued support.