Maintaining data privacy and GDPR compliance will become increasingly complex through 2024, particularly for organisations operating across more than one jurisdiction.
The concept of data sovereignty is well established around the world, with personal data subject to the laws of the country in which it is collected. This means many data protection laws have extraterritorial scope.
For instance, the EU GDPR (General Data Protection Regulation) applies beyond the EEA:
- To personal data processing carried out on behalf of data controllers or processors in the EU;
- To the processing of EU residents’ personal data in relation to offering them goods or services, or monitoring their behaviour; and
- Where EU member state law applies by virtue of public international law.
The GDPR is acknowledged around the world as a ‘gold standard’ when it comes to data privacy legislation, affording personal data a level of protection largely unmatched elsewhere.
GDPR enforcement within the EU combined with the EU-US data privacy framework and the planned changes to the UK GDPR all bring challenges in terms of keeping on top of what must be done.
14 US states now have their own data privacy laws, and GDPR-like legislation has proliferated across the world. The volume of cyber security and cyber resilience legislation is also surging and, of course, also has significant implications for how organisations address their data privacy obligations.
So, how does any organisation stay ahead of these challenges? Here are five key actions for all managements to consider:
Map your data flows – make sure you know what data is going where, who has access to it, and how it is protected. This mapping should include subcontractors, service providers and supporting software systems. This enables you to ensure that you identify relevant legal obligations as well as assessing and improving data security measures.
Ensure your Privacy Notice is up-to-date and reflective of the jurisdictions within which you’re processing data – if you’re open about what you do with personal data, you’re less likely to be challenged about your overall compliance strategy.
Ensure that your marketing opt-out mechanisms all work as they should and that, internally, you are clear about the lawful grounds on which you contact people – if you’re careful about compliance in these activities, you’re less likely to trigger a complaint that might lead to a fuller investigation.
Ensure that you data protection measures are adequate for the task: Cyber Essentials, penetration tests, anti-phishing training and tested incident response processes go a long way to keeping you out of trouble.
Look for a compliance platform that enables you to cost-effectively cross-map the various regulatory mandates, identify relevant controls and generate necessary policies, procedures and internal audits.
This combination of activities should be enough to keep the organisation out of trouble. After all, if you do not give data subjects grounds for a complaint, and you avoid a cyber breach, you’re unlikely to find yourself managing the consequences of breaching GDPR.
