Managing privacy compliance on a global basis
August 2015 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS
Financier Worldwide Magazine
Technology is evolving constantly and rapidly, and global organisations tend to prefer to roll out new technology on a global scale. In addition to the operational and technical challenges, rolling out new technologies invariably raises legal issues around privacy, data protection and data security (collectively referred to as ‘privacy’ in this article).
Privacy issues are at the heart of technology projects, whether they concern new projects, new offerings and applications, consolidation of existing databases, cloud based solutions, bring your own device programmes, cyber security or data loss prevention solutions, to mention just a few examples. Global organisations have been dealing with the difficulties associated with privacy compliance on a global basis for years. However, as new, more potent technologies come to the mainstream, the number of privacy issues increases and, often, the quality and even the nature of the issues changes.
At the same time, the legal and regulatory environment in which these issues must be addressed is changing. There is new and forthcoming legislation (such as the new Russian local data storage law, the Draft EU Data Protection Regulation or the draft Brazilian data protection law), which invariably sets new or higher expectations of compliance and significant sanctions for failures. There is also a growing body of court judgements that are, or have the potential to become, game changers. These include the recent judgement of the Court of Justice of the European Union (CJEU) which introduced a new ‘right to be forgotten’ in EU law, and the potentially seminal cases pending before the CJEU on the nature of IP addresses as personal data and the future of the EU-US Safe Harbour programme. Last but not least, emboldened privacy regulators do not hesitate to exercise their enforcement powers, ‘take on’ even the biggest global organisations and cooperate internationally to promote cross-border enforcement.
In this combustible environment, many global organisations wish to approach privacy compliance on a global basis, in tandem with the borderless nature of their business and technology. Is it then possible to strike a balance between achieving legitimate business interests and respecting the privacy of individuals on a global scale, while optimising the residual compliance risk? This is not an easy task, but good intentions, creative thinking and careful implementation can take organisations a long way.
Taking a global approach – key considerations
The decision whether to approach privacy compliance on a global basis should be informed by a number of key considerations.
First, technology is global, privacy law is not. Whereas modern technology defies borders, its privacy implications are assessed under national laws that set varying (and sometimes conflicting) requirements and are enforced in different ways from country to country. Put simply, taking a single approach to compliance globally means that it is difficult (if not impossible) to be 100 percent compliant in every country.
Second, privacy law is changing worldwide. This means that there is uncertainty, grey areas and room for argument. It also means that soon organisations will be subject to higher expectations of compliance and significant sanctions for failures, such as mandatory breach notification, mandatory regulatory audits and huge fines. For instance, the EU is currently contemplating the introduction of fines of up to 2 percent of annual worldwide turnover for serious privacy failures.
Third, privacy law will always lag behind technological developments. In fact, the gap is widening apace with the evolution of technology. Privacy regulators try to bridge this gap through their guidance.
Fourth, privacy law is vigorously enforced by activist regulators who are becoming more sophisticated in their understanding of the technology, bolder in their enforcement activity, and more coordinated in enforcing across borders.
Fifth, as a result of the above, there is legal and regulatory risk in rolling out new technologies, especially when compliance is approached on a global basis. Put simply, organisations that wish to take a global approach to privacy compliance will find that ticking the compliance box for every requirement of every national law for every matter at all times is mission impossible. Some risk acceptance is therefore unavoidable.
Sixth, ultimately, it is all about trust. What leads to the most serious forms of enforcement action and to serious business impact, such as the resignation of senior management or the killing of business models, is not technical non-compliance, but rather the loss of trust by stakeholders (including consumers, privacy activists, the press, customers, business partners, shareholders and regulators) that the organisation respects privacy and is doing the ‘right thing’.
Implementing a global approach – key steps
Against this background, organisations that wish to take a global approach to privacy compliance should take an eight step approach.
First, acknowledge privacy as an essential factor in adopting new technologies. ‘Privacy is dead’ and similar rhetoric will get you nowhere and will put your organisation squarely in the sights of regulators.
Second, carry out a privacy impact assessment to understand the technology, how it affects the privacy of individuals, the personal information, why and how this information is processed, why the impact on privacy is justified and how it can be mitigated.
Third, identify the traditional compliance framework, which comprises the applicable national laws, any other external instruments that the organisation voluntarily complies with (such as codes of conduct and industry guidelines), and the organisation’s internal policies and processes.
Fourth, carry out a compliance risk assessment, focusing on understanding actual (as opposed to potential) risk, taking into account the priorities and sensitivities of privacy regulators, the most relevant risk vectors (e.g., data breach, regulatory enforcement, brand damage, deal lag, etc.) and risk materialisation factors (cyber attack, data security breach, activist regulator, local links, etc.).
Fifth, define the organisation’s transnational privacy framework and compliance strategy. There are two elements here: (i) defining the transnational rules of privacy law that the organisation will aim at complying with; and (ii) setting the compliance maturity level that the organisation will aim for (e.g., best of breed, run with the pack, basic compliance, ad hoc risk optimisation, etc.). In relation to selecting the applicable transnational rules of privacy law, organisations may select the rules of an existing framework (for instance, the EU data protection and e-privacy directives) or the principles and rules common to more than one system, thus taking a truly international approach. Despite divergences, ‘advanced’ privacy frameworks (existing and emerging) essentially enshrine the same core principles: lawfulness, accountability, fairness, transparency, enabling individuals to exercise choice and exercise their rights, processing purpose limitation, proportionality and data minimisation, data accuracy, limited data retention, appropriate data security – including in the hands of contractors and in the context of data exports, dealing with failure and mitigating its impact on individuals. Compliance with these widely accepted transnational principles and careful optimisation of the residual risk can take organisations a long way (but not all the way) toward compliance in every country while ensuring that in most cases any residual non-compliance is likely to be of a technical nature, as opposed to major non-compliance that is likely to result in the materialisation of serious risk for the organisation.
Sixth, implement a transnational compliance framework by putting in place a set of technical and organisational controls that ‘operationalise’ the compliance framework, such as policies, processes and contracts, technological controls and solutions, accountable stakeholders and trained personnel.
Seventh, be prepared to justify your approach and evidence compliance – “Caesar’s wife not only has to be honourable, she has to seem so”. Positive behaviours, documented assessments, contractual and policy hygiene, and records of resolving issues and complaints can help a lot.
Finally, organisations must monitor, review, adapt and improve their approach to compliance. Taking a global approach to privacy compliance is a programme (not a project), which requires regular assessment and checks and balances on the ground (such as monitoring and measuring breaches, complaints and regulatory enquiries) and adapting the implementation of the transnational compliance framework as necessary.
Antonis Patrikios is a partner and Marta Dunphy-Moriel is an associate at Fieldfisher. Dr Patrikios can be contacted on +44 (0)20 7861 4354 or by email: firstname.lastname@example.org. Ms Dunphy-Moriel can be contacted on +44 (0)20 7861 4821 or by email: email@example.com.
© Financier Worldwide
Antonis Patrikios and Marta Dunphy-Moriel