Deciding on a Privacy Approach
Should your company take a global privacy approach or address regulations at a regional level?
We get it. Privacy is complicated, especially when your organization has a global footprint. For this reason, many of our clients come to us to help them create a privacy approach that addresses multiple regions. Below are the three main steps we take to help organizations through this process.
1. Compile a list of applicable privacy regulations
Take an inventory of where you are doing business and where your customers are, both now and in the near future. You will want to work with your legal counsel to determine what regulations will impact your business. If your organization has a global footprint, everything from the California Consumer Privacy Act (CCPA) to China’s Personal Information Protection Law could be applicable to your business.
While knowledge of what currently impacts your organization is important, it’s imperative to know what regulations will impact your business in the near future. In the United States alone, there are twelve states that will likely pass privacy laws in 2022, from Alaska to Florida.
2. Conduct an impact assessment
After your team compiles the list of applicable privacy regulations, your business needs to bring together your legal, compliance, marketing, product, data and analytics, technology, and security teams to determine the impact these privacy regulations will have on the business.
There are two typical approaches that companies choose to follow, with the first being the geographic region-by-region approach. Your team will want to weigh how much time, effort, and value your organization will get by treating each region in a different manner. Legal teams may want this approach for every geographic region because it makes it easier to ensure compliance. Marketing, product, and data and analytics teams may want this approach to allow them to have more data for customers in areas with less privacy regulatory requirements. (For example, Oregon doesn’t currently have any privacy regulations, so teams can use all of the data they have on a customer if they take a region-by-region approach.) Nonetheless, the time to implement this approach can be very taxing on the teams, as different rules will need to be applied for customer and employee data based on region.
The second approach is the global approach, meaning your organization will apply the most stringent of all regulations to everyone, regardless of geography. All teams may turn to this option for simplicity sake, as it allows an organization to apply only one set of rules. However, this approach means that marketing, product, and data and analytics teams may not retain the useful customer data that they would have gained in taking a region-by-region approach. For that reason, this approach isn’t usually taken when customer data is central to the success of an organization.
If neither of these options work for your organization, we have some clients that choose a hybrid approach. This approach could be something like applying CCPA for all of the United States and taking a region-by-region approach outside of the US.
3. Choose your approach and begin to develop your strategy
After your team has a thorough understanding of the impact assessment, the next step is to choose an approach. We see the most success not only when every team is brought into the conversation, but also when the executive team is supportive of the initiative and understands the business impacts. Once your team has chosen an approach, we can work with you to develop the strategy and roll it out.
Slalom is a global consulting firm focused on strategy, technology, and business transformation. Learn more and reach out today.
