Since 2018, regulatory heavyweights like the GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act) have helped draw attention to the importance of data protection – but that is not the only justification for implementing a global privacy program. (Source: Charles Russell Speechlys LLP)
Since the first lockdown rolled across the world forced the global economy to shift towards further digitalization. E-commerce became an alternative for many organizations. Logistics and the supply of goods and services to homes have become more strategically important, but more personal information has been entering the digital economy. Such personal information includes names and surname, billing addresses, and ‘last mile’ location data and payment information. Organizations have turned to their privacy and security professionals to assist in navigating these waters successfully.
This blog article introduces the benefits of establishing a global privacy program for international organizations and why organizations should not just consider privacy and data protection as just another regulatory obligation. It is an opportunity to become a sustainable player in the digital environment.
Three key features of a solid Global Privacy Program
Vision and Strategy
It is rather difficult to change an organization’s way of thinking about privacy without the support of all stakeholders that make up an organization (HR, IT, InfoSec, Engineering, Sales, Marketing, Legal). A clear privacy vision statement and global privacy principles build a strong foundation for organizations of the future. Traditionally, privacy was considered a mere compliance requirement as there is indeed a need to comply with the law. The latter is a key driver of privacy, yet that is not enough for a successful global privacy program. In today’s world, privacy plays a big part in the governance, risk, and strategic thinking in global organizations.
The Privacy Team
A Privacy program is a framework based on the organizational values and best practices of a company. It requires close collaboration with multiple stakeholders to ensure a balanced approach that meets both business needs and respects individuals’ rights to privacy and dignity. It should address every essential part of the organization. For this, an organization needs a myriad of privacy-aware individuals who challenge and change staff mindsets. Such individuals should not only be lawyers and compliance specialists but also professionals and experts in their own fields. Additionally, the privacy legal and compliance professionals should leave their comfort zones of risk-based compliance and speak and collaborate with their colleagues to better understand how to translate privacy into tangible deliverables and streamline these throughout the organization.
Structure – thinking global does not mean hurting the local
Organizations should not forget to ask the question of where it is operating and what its structure is. Is it centralized, federated, or a hybrid organization? This is important because organizations operating globally must be aware that the GDPR is not the only data protection regulation around. Many countries or regions have established local data protection or privacy laws, and a global privacy program must be sufficiently dynamic to accommodate such local laws. We can soon expect comprehensive privacy laws in India, South Africa, Thailand, and other parts of the world.