This resource aims to help privacy pros stay on top of compliance with the ever-shifting landscape of global privacy and data protection laws.
Published: November 2024
Contributors:
The obstacles to compliance with global privacy and data protection laws are numerous: New laws emerge as existing ones evolve, privacy knowledge is not evenly distributed throughout organizations, internal communication structures can be underdeveloped or absent, and priorities compete for a finite amount of attention. Indeed, at 52%, more than half of privacy professionals are only "somewhat confident" in their ability to stay informed about new global privacy laws. Moreover, at 70%, most are only "somewhat confident" in their ability to track or comply with new nonprivacy laws that their privacy functions have acquired responsibility for.
The members of the IAPP's Privacy Bar Section Advisory Board have put together this list of 10 tips to help privacy pros stay on top of compliance with the ever-shifting landscape of global privacy and data protection laws.
10 Tips for Global Compliance with Privacy and Data Protection Laws
1. Assess the scale of compliance
Assess how many markets are within scope to determine whether to adopt a global, country-by-country or hybrid approach to compliance.
2. Identify trusted sources
Consult with privacy colleagues and internal teams on the ground. Engage local experts and regulatory bodies. Reach out to local contacts in law and industry to recommend legal counsel if/when needed.
3. Track ongoing developments
Utilize resources from the IAPP, LinkedIn, law firms, regulators' websites, newsletters/ mailing lists, seminars and conferences, setting aside time daily to keep up to date.
4. Measure risk
Use a risk-based approach that considers type, sensitivity and location of data, as well as impact on data subjects and regulators in the jurisdiction. Consider a client's reputation as well as its appetite for and exposure to risk.
5. Find the focus
Focus on countries based on jurisdictional presence and likelihood of enforcement in addition to clients' immediate needs and specific industries.
6. Develop a strategy
Establish concise objectives and key results, key performance indicators, and standards based on an inventory of a company's operations, resources, risk tolerances and capabilities. Regularly review and update this strategy.
7. Audit audaciously
Conduct regular audits to identify potential areas of noncompliance. Do not assume a privacy regulation will not apply to an organization if it does not have an immediate impact.
8. Avoid legal silos
Break out of legal silos dominated by paperwork and legal requests to interface with technology, business, public relations, public policy and other teams.
9. Differentiate privacy and cybersecurity
While interrelated, the two areas of law are not the same and require different compliance strategies. Determine which jurisdictions focus more on data security and align with global or country-specific strategies.
10. Practice cultural humility
While no privacy team can be competent in every legal culture, they should appreciate that different legal cultures require different approaches to compliance.