Back when GDPR dropped in 2018, some companies simply pulled their advertising business from the EU, others opted to maintain compliance only in GDPR-affected territories and some chose to make their entire global business GDPR-compliant rather than deal with the legal, operational and engineering expense and hassle of maintaining distinct policies for different regions. Global compliance was a long-game strategy, and it looks like it was the best one. It’s plainly evident that data privacy is a global trend. While each law is different, together the emergent regulations should stand as a call to action for all digital businesses.
Comply, one way or another
Generally speaking, companies facing a deluge of data privacy laws have two options. They can meet each new law on its own terms, bringing together operations, legal, engineering and any other stakeholder departments to formulate a plan and put it into action every time the game changes. Or—the far better option—they can get ahead of the inevitable new data paradigm and adopt a global data policy framework. That is, they can adopt an operational policy that aims to comply with any likely potential iteration of the data privacy regulations we can expect to see.
Adopting a global data privacy framework is a challenge, no doubt. But the alternative is worse. Adopting individual policies to suit the rules of every individual region is too costly, too inefficient and too legally risky to bear. Of all the factors that could impact a company’s bottom line, regulatory compliance should not be one of them. Every company that had to adapt to the OMS shakeup of 2018 or chose to embrace GDPR compliance rather than flee the EU had to bring together stakeholders from across their organization to revamp their way of doing things. Continually re-evaluating company-wide processes wastes money and human resources. We need to save energy for operational revamps to use when crises we can’t foresee emerge. And there’s nothing unforeseeable about the data privacy regulations.
Globally compliant policy frameworks are easier, cheaper and safer
When we can see where global trends are pointing, it makes little sense to wait for governments to hand down data directives to us. Any forward-looking company has the background it needs to be proactive and to develop a framework that works for its business and customers and that passes muster for privacy trends as we see them playing out. Remember, real money is at stake. Under CCPA, minimum fines for a data breach are $100–$750 per Californian affected. GDPR brought lawsuits in the EU and CCPA will bring lawsuits in the U.S. Consumers have more knowledge than ever about how their data is used and shared, and they’re watching. A strong global data policy framework for your company will show the way around lawsuits.
A global policy will also mitigate the need to re-evaluate legal, operational and engineering practices each time another government raises the privacy bar. Addressing these laws one at a time is daunting, inefficient and expensive. It will require expertise in regional law around the globe, engineering resources to identify whether IPs are located in affected areas and operational action. It’s not practical and it’s not smart to undertake a company-wide shakeup for each new data law.
The way forward
Every one of these laws is subtly different from its kin, but in essence, they all serve the same broad intent. They address user consent (clear opt-ins to have their data collected and/or shared), they set terms of liability, and they establish authorities to oversee compliance. These basic building blocks give us a sense of what form a sound global data policy will take.
We need to underline that the onus is on individual digital companies to formulate their global data frameworks and to put them into action. Don’t leave global compliance to the biggest digital companies: It’s the smaller companies that will have a harder time absorbing fines.
As you develop your data strategy, it’s important to remember the checklists that applied to GDPR and CCPA. Identify your company’s data protection officer or policy point person or designate one if you don’t have one yet. Map what user data your company collects, the way your company uses that data, who you share it with and so on. Meet with all of your partners that you share this data with, discuss compliance and make sure your agreements have sufficient protections. Review your processes for managing consent and user data regularly.
Granted, managing a global data policy will be an ongoing process for all digital businesses, and it will call for refinement over time. But in the end, regular refinement will be less expensive than a purely reactive approach to changing policy. From a legal perspective, it mitigates the risk of exorbitant fines. And a sound global data policy is simply good ethics—and retaining the trust of your users is a boon—both on its theoretical merits and for what it means to your bottom line.