- Peter Boaz
GDPR has prompted organizations to get serious about privacy and data protection obligations. But as more privacy laws are introduced around the world, it's increasingly clear that these are no longer just European concerns. To meet the global demand for more data protection, companies are wise to foster an internal culture of privacy from the ground up.
Why do companies need to consider privacy regulations when expanding into other markets?
Data privacy is a major issue that’s only going to rise in relevance as more privacy laws are introduced globally. Companies that take a well thought out approach to market expansion will most certainly want to consider the privacy regulation of each new country they enter. This is because the risk of noncompliance can have substantial consequences. The fine for a violation of GDPR can be up to 4% of annual revenue.
Ignorance is no defence when it comes to following these laws. To cite one instance of this, the Italian data protection authority (DPA) fined a company €75,000 for failing to appoint a Data Protection Officer (DPO) - which they were unaware was a requirement.
Companies need to embrace data privacy and accept that these laws reflect popular opinion in new markets. GDPR and other data protection laws are widely popular, and the average consumer in these countries expects companies to honor and comply with them. Failure to do so could not only result in a substantial fine but could lead to reputation loss, which can be deadly for a product seeking adoption in a new market.
The good news for companies that embrace data privacy and make it core to their ethos and operations, is that it can become a real differentiator. A recent study by Cisco found that over 50% of consumers would switch companies simply because of their data policies or data sharing practices. Meanwhile, additional research by Cisco found that 70% of organisations say they received significant business benefits from privacy beyond compliance, including better agility and innovation, increased competitive advantage, improved attractiveness to investors, and greater customer trust.
Building on this point, research by Gartner forecasts that by 2023, companies that earn and maintain digital trust with their consumers will see a 30% increase in their digital commerce profits compared to their competitors.
What are the possible consequences of failing to factor-in differing privacy regulations when entering new territories?
Looking at Europe for example, one of the most important effects of GDPR was the introduction of new rights to individual 'data subjects' in the EU. This means that if a company operates in the EU, it must be able to accommodate these rights when a European citizen requests them. These obligations take significant time and effort to put in place, as they involve setting up new processes, establishing new roles and heavier responsibilities.
Failing to meet these obligations is, for one, a violation of European law. But it’s also potentially damaging to long-term customer retention. Customers are increasingly conscious of the organisations that take their obligations seriously and those that don’t. Having a responsive and comprehensive privacy program should be a high priority in any region, but especially in those that confer individual rights to data subjects.
What is the main privacy challenge when moving a company into a new territory?
The main challenge for many organizations is not knowing the Who, What, When, Where and Why of their data processing activities. An organization should be able to answer all of the following:
- Whose data do you process? e.g. customers, clients, employees
- Who do you receive data from? e.g. other companies, the individuals themselves, publicly-assessible sources
- Who do you send data to? e.g. subprocessors, affiliate companies,
- What types of data do you process?
- At what frequency do you process this data?
- Where do you send and receive data? e.g. cross-border data transfers
- Why do you process this data?
These are difficult questions to answer because they often require a company to shift its internal culture. Conventional wisdom in the technology industry prioritizes the rapid acquisition of new customers, constant iterations to improve the user experience, and data-driven decision-making. These principles are fundamentally at odds with a culture of privacy
The desire for technology companies to “move fast and break things”, in the words of Mark Zuckerberg, has resulted in vast technical debt compounded over years of collecting more data than necessary. This has led to the situation we find ourselves in today, where companies cannot describe with confidence the data processing that goes on in their business.
What’s known in computer science as “kluge” - a software or hardware configuration that, while inelegant, inefficient, clumsy, or patched together, succeeds in solving a specific problem or performing a particular task - is most certainly applicable to the state of privacy management in many companies today. Yet GDPR and other data protection laws require organizations to better understand this patchwork of data collection and it is understandably a difficult task.
What are the top four ways that a company can get a handle on data privacy when moving to a new territory?
In my view, those are
- Conduct thorough data mapping and maintain a record of processing activities (RoPAs)
- Undertake a privacy health check and a fast-track privacy audit
- Consult with privacy professionals
- Deploy third party privacy compliance software tools
How companies can stay ahead of privacy regulations in new territories
The safest approach to staying ahead of privacy is to consult a team of privacy professionals, ideally representing different regions of the globe, whose job is to stay on top of these trends in regulation. Any single person would have difficulty keeping up with the volume of information and the rate at which it is changing, but a team of privacy professionals can provide that breadth of knowledge.
Many startups are choosing to appoint an independent DPO to help them address the privacy related challenges associated with expansion into new territories. There are two compelling reasons for this.
First, an independent DPO will have a good understanding of privacy regulation related to disciplines including human resources, legal, corporate structure, IT and cyber security. Second, as an independent advisor, DPOs are free of potential conflicts of interest.
First appeared in Startups Magazine. Published here with edits and updates.