So you've built a basic privacy program. Congratulations! Take a breath and enjoy the moment, but only a moment! Privacy laws and regulations are quickly changing, and the pace of change is only increasing. You know that GDPR is in force in Europe, but now Brazil and India are also in the mix. Canada is making updates. CPRA will soon come into force. How does a busy privacy professional keep up? How do you comply with all of these laws at once without overhauling your program every time a new law is enacted?
Fortunately, you don't have to be an expert in the laws of hundreds of countries or fluent in multiple foreign languages to stay current and compliant. There are a few concrete steps you can take to simplify managing your privacy program to meet the requirements of the future:
1. Stay Up to Date with Your Business
Be sure that you understand where your company is operating and new markets that it is hoping to open. Be aware that directing advertising and marketing to a region might be sufficient to make those laws apply to your company's activities. Understand what activities might trigger the application of a law to your business. By keeping up with your business counterparts, you will already know what requirements apply when they are ready to enter new markets.
2. Globalize Your Standards
Consider applying a single standard in all regions where you do business. To do this, you might need to choose the strictest standard that applies. Alternately, you can choose to adopt a minimum standard across the company, but apply stricter standards locally when necessary to comply with a country's specific requirements. Either of these approaches will save you the trouble of reinventing the wheel for each region where you are doing business. Similarly, if you are applying high standards already, as new regions roll out their privacy legal frameworks, you are likely to already comply with many of their requirements.
3. Study the Trends
As countries adopt or update their privacy laws, it is clear that common themes or trends emerge. For example, it is now common for regulators to have authority to enforce their laws with fines and civil penalties. Similarly, data breach reporting has become a common requirement in many regions. Many countries that are developing privacy legal regimes for the first time are looking at existing laws as a model. Therefore, you can do the same and look at what these frameworks have in common in order to maintain and enhance your company's privacy program.
Keeping your privacy program compliant does not require you to be a futurist who can see around corners and predict the topics that privacy regulators will address next. It does require that you stay current in your awareness of what is happening within your company and within privacy news. By doing so, you will be able to develop a program that is relatively future proof and only needs modest adjustments as new requirements are enacted.
