I never realized how complex data privacy rules can be for multinational companies until I read “Data Privacy Across Borders” by Lambert Hogenhout and Amanda Wang. This book not only goes into detail on the privacy regulations from many countries, but it also covers the importance of a global data privacy strategy and the steps to create one.
Organizations continuously use data in new ways, often generating cross-border data flows. At the same time, concern about the use of personal data is growing. Every year, more countries adopt data privacy laws and our expectations increase on how companies respect our private data. This book covers the art of crafting an effective data privacy strategy that aligns with business objectives and brand positioning yet ensures compliance with relevant laws. You will gain a foundational understanding of data privacy laws and issues as a prerequisite to developing a custom strategy.
From the book’s introduction:
This book provides a guide to formulating an approach to Data Privacy (DP) for multinational organizations. In today’s environment, where massive amounts of personal data are being collected, processed, and shared, organizations face increasing scrutiny and legal obligations to protect individuals’ privacy rights. While there are resources tailored to specific jurisdictions, many organizations handle data that is collected globally. The implications of that in terms of compliance, but also in terms of maintaining the trust of your clients, partners, or stakeholders around the world, can become very complex. To add to the complexity, various online platforms for mobile apps (iOS and Android) and social networks have their own requirements for data privacy. So, if your organization uses these as part of their products or services, or in their engagement with customers, you must also comply with their terms of service.
The challenge is growing weekly as personal data plays a role in more systems. Imagine your car keeps track of your location over time. Now, suppose that a crime happened somewhere around that time. Then, the data collected about you is highly personal in the sense that it may provide you an alibi (or make you a suspect!). The European GDPR, among others, recognizes such data specifically and requires you to treat it with extra care. It is important to note that there are benefits to having location data in your car. GPS vehicle tracking systems are helpful in scenarios where if your car is stolen or gets towed, it could aid in recovering it, or in case of an accident, it can help emergency responders locate you quicker. It is also useful in protecting loved ones, such as monitoring a teenager’s driving or an elder parent’s activities. There has to be a balance between utility (services or products provided to customers) and respect for their rights (data privacy and protection).
The book aims to clarify the main privacy regulations worldwide, explain the challenges in operating with data in a multinational organization, and provide concrete advice on formulating a corporate strategy for data privacy that achieves compliance and risk management and builds trust, internally and externally. Indeed, it is a practical guide to planning such a strategy. The strategy will include a data privacy program — specific instructions on how data is being protected and data privacy respected in various business processes as well as broader aspects of corporate strategy and culture.
Each of the seven chapters in this book focuses on a specific aspect of data privacy regulations, challenges, and strategies, providing detailed information, practical examples, and actionable guidance:
- Chapter 1: The Fundamentals of Data Privacy Regulations. Explores the historical context that led to the development of these regulations, including notorious breaches and other scandals. The chapter introduces key concepts and terminology related to data privacy, such as personal information, consent, legitimate interest, data controllers, and data processors. Also, we cover the motivations behind data privacy regulations, emphasizing the need to balance innovation and technological advancements with individuals’ right to privacy. It explores the ethical and societal considerations surrounding data collection and processing practices, laying the foundation for understanding the regulatory landscape. An experienced data privacy practitioner can skip this chapter.
- Chapter 2: Understanding Personal Data and the Principles for Protection. Focuses on understanding personal data and the various categories of information within its scope. We also review the principles and best practices for protecting personal data, discussing the concept of data minimization, purpose limitation, and storage limitations. An experienced data privacy practitioner can skip this chapter.
- Chapter 3: The Global Landscape of Data Privacy Regulations. Shares a number of examples of regulations from various regions and countries: The European Union, The United States, Canada, China, Singapore, India, South Africa, and Brazil. The idea is to give you a flavor of the various kinds of regulations you may encounter. This knowledge will serve as a foundation for later chapters, where we learn to design an organizational strategy.
- Chapter 4: The Challenges of Data Privacy in Multinational Operations. Raises the challenges faced by organizations operating globally in terms of reconciling disparate data privacy regulations. It starts by emphasizing the importance of understanding the multinational character of the operations of one’s organization from the perspective of data flows. The Chapter then explores the challenges of the conflicting regulations and cross-border data flows. Chapter 4 also discusses cultural and ethical considerations and the need to balance privacy rights with business objectives in different cultures — building trust and transparency in diverse cultural environments.
- in Multinational Organizations. Shows you how to design a strategy for DP for a global organization. The Chapter explores the essential ingredients in a corporate approach to data privacy that can satisfy compliance requirements in multiple countries and maintain sensitivity to multiple cultures and groups of stakeholders. It presents a methodology composed of concrete steps to design such a strategy. It discusses strategies such as implementing a global privacy framework based on common principles or adopting a risk-based approach to prioritize compliance efforts. Chapter 5 also discusses the interplay between a data privacy strategy and the organization’s data strategy, IT strategy, and risk management framework. By the end of Chapter 5, readers will have learned a methodology to design a data privacy strategy that will work in small or large organizations.
- Chapter 6: Further Considerations in Implementation. Although implementation is beyond the scope of this book, a high-level implementation plan may be part of or accompany the strategy. We explore a few specific elements of such an implementation plan, including the role and responsibilities of the Data Protection Officer (DPO), Data Privacy Impact Assessments (DPIAs), Consent Management, Data Breach Notification, and Incident Response.
- Chapter 7: Future trends in Global Data Privacy. Data Privacy is a field evolving continuously, and not in the least because of technological developments. New technologies such as AI present new data privacy concerns. At the same time, new technologies are also being invented to support data privacy. We explore the future challenges and considerations of data privacy and data protection. It focuses on emerging technologies such as Artificial Intelligence (including Generative AI platforms like OpenAI’s GPT family of products) and their impact on data privacy and protection. It also discusses Privacy Enhancing Technologies (PETs) such as Homomorphic Encryption, Zero-knowledge Proofs, and Multi-party Computation, which are just at the point where they are starting to be used in practice. We also cover the privacy implications of the Metaverse and virtual environments in general.
Here is an excerpt from Chapter 5 (my favorite chapter!) on creating the strategy:
When we build a data privacy strategy, it should not only be viewed through a compliance lens. Based on a studypublished by Cisco in 2020, for every dollar spent on privacy, the average organization is getting $2.70 in associated benefits. In addition, the study also states that organizations received significant business benefits from privacy beyond compliance, which include better agility and innovation, increased competitive advantage, improved attractiveness to investors, and greater customer trust.
This means that we need to align with the organization’s overall business strategy when developing a data privacy strategy. In other words, the data privacy initiatives should be presented as enablers to meet the organization’s objectives and not only be viewed as a compliance activity.
A good starting point is ensuring that the data privacy strategy is part of the data strategy of the organization. A data strategy encompasses data governance, data management, data security, technology tools and infrastructure, and change management. If data privacy is considered within all these strategic and technical areas, it will help the organization maximize the benefits of implementing privacy.
One possible route to take is a risk-based approach. This starts by considering that every piece of PII that you own is a risk, and you need to weigh that risk with the benefits for the business. Some data may be necessary: you cannot process online orders for garden furniture without storing the address of the recipient. Some data may be nice-to-have, and you may discover that some data you collected is not used or useful. The engineers, business analysts, and the marketing department in your organization will all likely want to keep as much data for as long as possible – you never know when it comes in handy! But this is often not allowed by law and not wise from a risk management perspective.
It is also good to keep in mind the important relation to IT Security. The physical and electronic protection of the data greatly affects the risk of data privacy incidents.
Certain roles in your organization will be important stakeholders in the data privacy strategy that will be key in defining the priorities, providing the requirements and limitations, and implementing the strategy. The Chief Information Officer (CIO), Chief Data Officer (CDO), heads of marketing, operations of IT infrastructure, and the Chief Information Security Officer (CISO) are key partners, and therefore important to engage them throughout the process of developing a strategy.
Learn more about the book here.