It’s raining data-privacy laws
A deluge of new legislation in 2019 will put companies on the spot
If you thought that 2018 represented the peak of your compliance efforts, think again; prepare for a whole raft of new privacy laws coming into effect in 2019 and 2020.
The most noteworthy ones will be from California, Brazil and the EU (ePrivacy). However, many others are on the way too, in countries ranging from Argentina to Zimbabwe. And a US federal privacy law is virtually a given for 2019.
The effect of this will be to force organisations to stop viewing data privacy as just an EU thing, and to see it from a broader, more global perspective.
For example, if you’re a multinational, you might have to plan for different breach-response plans based on the countries you’re operating in. Subject Access Requests can also vary in terms of what constitutes personal information and the time required to comply with them.
In the face of this increased complexity, there are two options open to organisations.
Quick fix or long term?
The first option is to launch as many compliance projects as there are new laws, and try to ensure that you can tick all the boxes when the deadlines come around. Needless to say, these one-time fire-drills won’t scale. You’ll always be playing catch-up with the next new law, and will end up being overwhelmed by the cost and effort.
A smarter option is to realise that all of these laws have a lot in common — 80% easily — and simply make data protection an integral part of your business processes, product development and technology infrastructure, throughout the lifecycle. This way, once a new law comes around, you’ll find that you are already largely compliant.
Welcome to privacy by design, the ultimate umbrella option, based on seven foundational principles which enable an organisation to demonstrate “out of the box” compliance, rather than having to adapt the organisation to each new law.
Bring it on
Privacy by design represents a major organisational challenge, one which will be measured in years rather than months. But it is the only viable solution in a world where new data-privacy laws are falling from the sky every few months. Once data protection has been baked into your business processes and technology infrastructure from start to finish, tackling the next new data-privacy law will become an incremental effort that you can take in your stride, rather than yet another fire-drill.
More data-privacy legislation? Bring it on.
Michael Gentle is the founder of The Balance of Privacy, based in Geneva. For similar articles by Michael, click here.
