Skip to main content

Ensuring Concurrent Compliance to Multiple Data Protection Regulations

 In today’s pervasive business ecosystem, many enterprises conduct business worldwide through their local subsidiaries and legal entities. 

Even the supply chains and delivery channels span across multiple nations. However, with a footprint across the globe, enterprises need to comply with new and emerging country-specific data protection regulations and to existing ones that are becoming more stringent to data compliance. 

Enterprises can no longer afford to be complacent or casual about data protection.

The complexity of diverse regulations

Enterprises operating globally may come under the purview of multiple data protection laws. 

Each law has its own binding requirements and nuances that enterprises need to understand and follow. Is it possible for enterprises to comply with all such regulations in a concurrent fashion? Arguably, the question has no easy answer.

Building a basic data protection framework

On the surface, the terrain may look difficult, but the situation is not as bleak as it initially appears. As we delve into such laws and as legal experts begin to dissect the clauses, common patterns begin to emerge. There are overlapping areas amongst these laws, notwithstanding the fact that each of these laws is unique in its own way. Furthermore, even for the broader commonalities, there are varying degrees of complexity across different laws. Yet, enterprises can start taking some basic measures for data protection regulatory compliance. Enterprises that have reached a certain stage of data protection maturity may have already undertaken one or more of these measures:

Establish a body for the definition, execution, periodic assessment, and governance of data protection measures that an enterprise must undertake. This body must include representatives from cross-functional units, such as Legal, Marketing, Business, IT, HR, Administration, Enterprise Risk and Compliance, Media, and Public Relations, among others.

  • Create a dedicated Data Protection Officer (DPO) role, reporting directly to the CIO/CEO and acting as a bidirectional conduit with the country’s central data protection agency. DPO will bear the primary responsibility of regulatory compliance.

  • Define sensitive data categories applicable to the business-domain of the enterprise and identify such data within the enterprise’s data stores, to help delineate the scope of the data protection program.

  • Establish practices of trusted data collection, such as getting explicit consent from citizens before collecting data, defining the purpose of collecting and processing data, and limiting data usage to the specified purposes outlined initially.

  • Establish practices of trusted data sharing, such as data masking, encryption, pseudonymization and tokenization, before sharing data on a need-to-know basis.

  • Establish practices of trusted data storage, such as ensuring that the data adheres to the country’s data residency requirements.

  • Establish practices of trusted data disposal, such as destroying the data once its defined purpose has ceased to exist and as allowed by other laws of the nation.

  • Offer citizens a way to have their data remain up-to-date, accurate and unique.

  • Define protocols for timely and transparent notification, in the event of a data breach.

  • Take stringent measures for protecting children’s data.

Adopting data protection, the smart way

Enterprises are now treating data protection as a business requirement since it offers a decisive competitive edge and provides long-term business benefits. In order to operationalize data protection measures, enterprises need to invest in appropriate Commercial off-the shelf (COTS) compliance software or build their own software. In either case, compliance software must be configurable, highly parameter-driven and should have the ability to define country-level and hybrid policies. For example, if two laws ‘A’ and ‘B’ have different expectations regarding the time limit (in number of hours) for communicating data breach, and an enterprise needs to comply with both laws, the compliance software must either allow the enterprise to choose a value that agrees with both laws (typically, the more stringent requirement of ‘A’ and ‘B’), or allow defining country-level policies so that the notification time remains separate for both laws. Another example would be compliance to varying data retention requirements across multiple laws.

Paving the way forward

Data protection regulations are complex and are here to stay. It would be naive to assume that implementing basic data protection measures will result in a complete coverage of all legal expectations across alldata protection laws. Nevertheless, if an enterprise has established basic data protection practices, it gets a head start with a minimum “threshold pre-compliance”, as it already has a framework.

 Further, this framework can be fine-tuned when a new law comes into force, or existing laws are amended. The framework will provide agility in ensuring holistic data protection compliance, especially when, the data protection regulatory landscape is becoming increasingly crowded with multiple laws.

Comments

Popular posts from this blog

Social Responsibililty

                                                                        SOCIAL RESPONSIBILITY Social Responsiblity   is an ethical framework and suggests that an entity, be it an organization or individual, has an obligation to act for the benefit of society at large.  Social responsibility  is a duty every individual has to perform so as to maintain a balance between the economy and the ecosystems.  4 Types of Social Responsibility Corporate Environmental Responsibility. ... Corporate Human Rights Responsibility. ... Corporate Philanthropic Responsibility. ... Corporate Economic Responsibility. Some of the common Responsibility for example given below: Reducing carbon footprints. Improving labor policies. Participating in fair trade. Charitable givin...

Online Education

ONLINE EDUCATION Online education is a flexible instructional delivery system that encompasses any kind of learning that takes place via the  Internet . Online learning gives educators an opportunity to reach students who may not be able to enroll in a traditional classroom course and supports students who need to work on their own schedule and at their own pace. The quantity of distance learning and online degrees in most disciplines is large and increasing rapidly. Schools and institutions that offer online learning are also increasing in number. Students pursuing degrees via the online approach must be selective to ensure that their coursework is done through a respected and credentialed institution. POSITIVE AND NEGATIVE EFFECTS OF LEARNING ONLINE Online education offers many positive benefits since students: have flexibility in taking classes and working at their own pace and time face no commuting or parking hassles learn to become responsible for their own education with in...

COVID-19 Drives Insurers to Revisit Actuarial Models

The COVID-19 pandemic has taken a huge toll on people and economies alike.  Governments and central banks worldwide have introduced a slew of fiscal measures to infuse liquidity and stability in the market.  However, in spite of these measures, the financial markets are expected to remain highly volatile for a significant duration, likely to worsen further due to lowering of interest rates and increasing credit spread gaps as well as risk of mortgage defaults.  Insurers therefore need to assess the impact on their solvency margins and IRRs, and re-assess the assumptions around mortality and morbidity rates, operational and financial costs, claims and losses, and so on.   Actuaries must review existing strategies and products and construct new ones to handle evolving risks and their interactions to be able to better model assets and liabilities as well as analyze asset and capital adequacies Moreover, insurers will have to perform strong scenario testing to identify k...