Skip to main content

Ensuring Concurrent Compliance to Multiple Data Protection Regulations

 In today’s pervasive business ecosystem, many enterprises conduct business worldwide through their local subsidiaries and legal entities. 

Even the supply chains and delivery channels span across multiple nations. However, with a footprint across the globe, enterprises need to comply with new and emerging country-specific data protection regulations and to existing ones that are becoming more stringent to data compliance. 

Enterprises can no longer afford to be complacent or casual about data protection.

The complexity of diverse regulations

Enterprises operating globally may come under the purview of multiple data protection laws. 

Each law has its own binding requirements and nuances that enterprises need to understand and follow. Is it possible for enterprises to comply with all such regulations in a concurrent fashion? Arguably, the question has no easy answer.

Building a basic data protection framework

On the surface, the terrain may look difficult, but the situation is not as bleak as it initially appears. As we delve into such laws and as legal experts begin to dissect the clauses, common patterns begin to emerge. There are overlapping areas amongst these laws, notwithstanding the fact that each of these laws is unique in its own way. Furthermore, even for the broader commonalities, there are varying degrees of complexity across different laws. Yet, enterprises can start taking some basic measures for data protection regulatory compliance. Enterprises that have reached a certain stage of data protection maturity may have already undertaken one or more of these measures:

Establish a body for the definition, execution, periodic assessment, and governance of data protection measures that an enterprise must undertake. This body must include representatives from cross-functional units, such as Legal, Marketing, Business, IT, HR, Administration, Enterprise Risk and Compliance, Media, and Public Relations, among others.

  • Create a dedicated Data Protection Officer (DPO) role, reporting directly to the CIO/CEO and acting as a bidirectional conduit with the country’s central data protection agency. DPO will bear the primary responsibility of regulatory compliance.

  • Define sensitive data categories applicable to the business-domain of the enterprise and identify such data within the enterprise’s data stores, to help delineate the scope of the data protection program.

  • Establish practices of trusted data collection, such as getting explicit consent from citizens before collecting data, defining the purpose of collecting and processing data, and limiting data usage to the specified purposes outlined initially.

  • Establish practices of trusted data sharing, such as data masking, encryption, pseudonymization and tokenization, before sharing data on a need-to-know basis.

  • Establish practices of trusted data storage, such as ensuring that the data adheres to the country’s data residency requirements.

  • Establish practices of trusted data disposal, such as destroying the data once its defined purpose has ceased to exist and as allowed by other laws of the nation.

  • Offer citizens a way to have their data remain up-to-date, accurate and unique.

  • Define protocols for timely and transparent notification, in the event of a data breach.

  • Take stringent measures for protecting children’s data.

Adopting data protection, the smart way

Enterprises are now treating data protection as a business requirement since it offers a decisive competitive edge and provides long-term business benefits. In order to operationalize data protection measures, enterprises need to invest in appropriate Commercial off-the shelf (COTS) compliance software or build their own software. In either case, compliance software must be configurable, highly parameter-driven and should have the ability to define country-level and hybrid policies. For example, if two laws ‘A’ and ‘B’ have different expectations regarding the time limit (in number of hours) for communicating data breach, and an enterprise needs to comply with both laws, the compliance software must either allow the enterprise to choose a value that agrees with both laws (typically, the more stringent requirement of ‘A’ and ‘B’), or allow defining country-level policies so that the notification time remains separate for both laws. Another example would be compliance to varying data retention requirements across multiple laws.

Paving the way forward

Data protection regulations are complex and are here to stay. It would be naive to assume that implementing basic data protection measures will result in a complete coverage of all legal expectations across alldata protection laws. Nevertheless, if an enterprise has established basic data protection practices, it gets a head start with a minimum “threshold pre-compliance”, as it already has a framework.

 Further, this framework can be fine-tuned when a new law comes into force, or existing laws are amended. The framework will provide agility in ensuring holistic data protection compliance, especially when, the data protection regulatory landscape is becoming increasingly crowded with multiple laws.

Labels:

Comments

Post a Comment

Popular posts from this blog

How to take a walk

  How to Take a Walk                                                                                                                                     How to take a walk|Building a Better Today Whatever your workday looks like, odds are you could use an occasional break. Learn how to make the most of a midday stroll. Forget your phone.  Leaving your screen behind will give your eyes a much-needed rest. Though scrolling through social media may seem like a reward for a productive morning, it will ultimately diminish your ability to be present on your walk Take in your surroundings.   Minus your tech and...
Post a Comment
Read more

4 Useful And New WhatsApp Features That Released During The COVID-19 Lockdown

  WhatsApp is one of the worlds largest online texting applications which is used almost in every country.  It is a light and easy to use texting application which also offers a lot of other important utilities other than texting.  These include video calling, group video calling, digital payments, document and media sharing and location sharing.  What began as a simple texting application is now an indispensable part of our lives because WhatsApp has made information flow faster and safer.  WhatsApp   web kept scaling new heights time and again and this was possible only because of the constant innovation by the developer team. In light of the COVID-19 pandemic which forced entire countries to go into lockdown and shut down businesses, WhatsApp is doing its part to help people during these times by rolling out some nifty and important features. Group video call limit increased  WhatsApp had the facility for group video calls which could only accom...
1 comment
Read more

Social Responsibililty

                                                                        SOCIAL RESPONSIBILITY Social Responsiblity   is an ethical framework and suggests that an entity, be it an organization or individual, has an obligation to act for the benefit of society at large.  Social responsibility  is a duty every individual has to perform so as to maintain a balance between the economy and the ecosystems.  4 Types of Social Responsibility Corporate Environmental Responsibility. ... Corporate Human Rights Responsibility. ... Corporate Philanthropic Responsibility. ... Corporate Economic Responsibility. Some of the common Responsibility for example given below: Reducing carbon footprints. Improving labor policies. Participating in fair trade. Charitable givin...
15 comments
Read more