Understanding legislations and what to do when multiple regulations seem to apply

Understanding legislations and what to do when multiple regulations seem to apply

Tash has a reputation for making the impossible seem simple and turning regulatory legalese into something that can be understood and implemented by all. Discussing the hot topic of how to ensure compliance over multiple legislations and regions, Tash tackles the subject through an analogy of ‘The Global Patchwork of Data Protection & Privacy Legislation’.

As a child, I learnt to do patchwork; the art of taking fabrics with differing textures, colours, shapes and sizes, and sewing them together to create one single united piece of art. Little did I know how useful that skill would become in later life.

As a data protection professional, I probably spend at least half of my time trying to stay up to date with the latest national guidance and the key international regulations. This is addition to having a day job, and certainly in addition to the foundational knowledge that is needed to try and understand how all these laws interlock and to be able to sew them together into a usable framework. It seems that daily, a new set of rules is proposed, amended, presented to a parliament or implemented into law. On top of that is the guidance produced by the various authorities that at best clarify some of the vaguer points, at worst seem to contradict them. The patchwork gets more complex, more confusing and infinitely more difficult to sew.

Creating Harmony in Europe

In May 2018, the General Data Protection Act (GDPR) came into force across the European Union. One of its primary aims was to harmonise the previously disparate and fragmented legislative landscape in Europe. Whilst its introduction was seen by many to be disruptive and costly to businesses, there is no doubt that it has significantly ironed out the inequalities in previous legislation and has acted as a springboard and a template for the multiple data protection laws and proposals that have followed.

Outside of Europe

In 2018, according to Eurostat statistics, international trade in goods and services represented 17.6 % of the EU’s GDP, which means there are a significant number of EU organisation that are having to comply with data protection regulations outside of the EEA; in particular the USA, China, Russia, Turkey, Japan, South Korea and India. Even within these countries there are multiple established and evolving regional and sectoral data protection regulations that must be considered and adhered to. Monitoring that level of change, understanding that level of complexity, and implementing everything that is everything required, whilst continue to run an international organisation is a significant undertaking. It requires ongoing resource, board commitment and a strong data protection framework.

Implementing a framework

Since most EU organisations will have already created a privacy program based on the GDPR, the simplest way to start on a global framework is by looking at the similarities, rather than the differences, between that and the international regulations.

Documenting your data processes

As a general rule these similarities will start with the same questions that need to be answered:

Who is the data subject?

What personal data is being processed?

Why is the data has being processed?

Is the data processed lawfully?

Where was the data was captured and where is it stored?

Who has access to the personal data?

Who have you sold or shared the data to/with?

If you don’t know, and haven’t documented, the answers to these questions then not only will you fail on the accountability principle of the GDPR but you will also be unable to respond to any of the rights that the individuals are afforded under the various global regulations.

Once an entity has mapped out their processing of data, it’s time to look at the local nuances and how to deal with them.

Setting your compliance bar

Identifying which regulations apply to an organisation can be done via traditional legal research, or by utilising one of the many data protection intelligence platforms. Most of these platforms will also chart the differences between the various regulations and the GDPR. They offer alerts to regulatory changes in a region/sector. It should be immediately obvious that a majority of the differences are where the global regulation is more lax than the GDPR. It is, therefore, beneficial to use the GDPR framework as your lowest bar of compliance rather than your highest. You can then concentrate on the differences that require extra implementation; additional rights of the individual, double opt-in, time frames for rights responses, registration with a supervisory authority, representative offices etc. It is vital that if you use a third-party system to handle your data protection workflows and customer interaction, that the system is able to cope with the variations in both the data subjects’ home regulations and language, and then respond appropriately.

Stitching the patchwork together

Ultimately, any European organisation that needs to abide with multiple data protection laws will most likely already be accustomed to complying with international laws and their associated variances. Data Protection is just an extension of this process. These variations should not be seen as something that hinders business. Knee jerk reactions like those of many US media websites who simply blocked EU IP addresses from accessing their services on May 25th 2018, show a lack of understanding and unwillingness to acknowledge the rights of their data subjects.

An organisation that has a suitable level of compliance with the GDPR will already have a culture of accountability, will have ensured that all employees are trained appropriately, and that data is held securely. One that then identifies the international laws that impact them, sets the base compliance bar at GDPR standard, and also accommodates local nuances, is further creating a security blanket of compliance (albeit a patchwork one). It is showing a level of respect, acknowledgment and commitment to their data subjects and should be seen as a differentiator in the marketplace. It is an ongoing exercise and those that get it right deserve their place in the international market. Those that don’t must face the consequences.
As a child, I learnt to do patchwork; the art of taking fabrics with differing textures, colours, shapes and sizes, and sewing them together to create one single united piece of art. Little did I know how useful that skill would become in later life.