As global organizations build out and mature their data governance and privacy programs as a top goal for 2021, the challenge of unleashing more business-critical data to drive enterprise value creation programs—against the potential harm of data exposure risks—continues to be a work in progress to get right. And the problem is compounded as organizations need to consider consumer privacy laws across the globe.
Data privacy governance policies within globalized organizations are evolving with each new or updated regulatory mandate in a constantly changing landscape. So, what are privacy officers and data stewards to do when attempting to install a best practices approach through data privacy policies and data handling procedures that can scale globally?
The truth is you are not alone in this challenge. Increasingly evolving mandates can potentially make data privacy controls even more complex, if not made programmatic and automated to administer.
Data privacy regulation is often framed through the lens of regional mandates where the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) get predominant coverage, as they represent two leading standards within two massive economic zones. The GDPR is driving EU (European Union) privacy policies and many would agree that the CCPA is the current de facto reference for emerging policy in the US. In fact, recently the CCPA got an upgrade with California’s Proposition 24 (CPRA)—it’s still evolving too!
However, while the focus remains on North American and European consumer privacy laws, we can’t forget that each region has similar laws in place that are also evolving and growing stronger, and most follow a similar pattern of mandating and clarifying data protection controls, along with the need for increased data transparency that enables responsiveness to consumer rights, such as routine data use inquiries.
So, while definitions and details may vary across regional privacy mandates, organizations will need to install a consistent privacy governance framework to manage worldwide data privacy policies and scale out with a single umbrella approach to streamline data governance procedures and offer consistent quality of service to customers worldwide.
Singapore’s Personal Data Protection Act (PDPA) is nothing new, in fact, it’s been enforced since 2014 with recent updates in November 2020. And while it’s largely flown under the radar for global organizations, as compliance has been often eclipsed by its splashier counterparts in Europe and the Americas, that doesn’t mean it should be ignored. And if you are doing business in Singapore, it most certainly cannot be.
The PDPA follows a consistent pattern like the GDPR and the CCPA in the general scope of enforcing data protection and data transparency. Often organizations debate whether they need to handle each country or regional mandate uniquely, such as simply having an affiliate company within country manage its own policies. However, there is growing consensus that standardized policies create less operational headaches, long-term. Meaning, strive towards a consistent approach that meets baseline universal data privacy standards and only enforce unique policies, in region or in country, if necessary due to legal conflicts.
As an example, data subject access requests (DSARs) require a 30-day response timeframe under the GDPR, whereas California’s CCPA allows for 45. But do you have a good rational reason for not striving for a 30-day service level that meets both requirements and offers consistent quality of service to your global customers? If you simply followed the GDPR’s best practice and applied it to the California law regardless of the 45-day requirement, guess what, you’d have a head start in complying with the PDPA and achieve consistency!
The PDPA, much like the GDPR or CCPA, affords consumer protections and follows similar concepts of requiring consent to use data, appropriateness of purpose along with disclosure of those purposes, and a reasonably appropriate use in the spirit of the consumer’s consent.
While each privacy mandate contains various nuances, organizations need to ask—is there a reason to not afford the same standards across all consumer privacy use cases and regions?
Not only is a uniform customer experience good for business, but it cuts down the complexity of governance programs to streamline operations and democratize data with a predictable approach. Moreover, as regional, global, federal, et al. policies being to solidify, there’s little doubt they will also strive to achieve the best practices that you’ll already have prepared to meet. Privacy is only getting tougher—all the more reason to support higher standards that are more likely to be adopted, long-term.
CPO Magazine recently highlighted 4 trends heading into 2021.
As we look at applying the same data governance programs and best practices that originated from the GDPR, the CCPA, or even industry-specific regulation such as HIPAA (Health Insurance Portability and Accountability Act) for healthcare privacy, the message is clear that repeatable approaches are necessary to simplify operations and adapt to growing global mandates. This includes Singapore’s PDPA privacy law, as well as others, such as Brazil’s LGPD.
The good news is that the work being done to meet one set of standards is often applicable to the others by taking the best practices of each and applying them globally to make data governance predictable. Until the time comes when we have global standards for data privacy, adopting a flexible data privacy governance framework is the best we can hope to do to stay adaptable, repeat best practices, scale out and control data exposure, making data democratization safer and more predictable for unleashing value.