Almost everyone at this point has heard about the European Union’s (EU) General Data Protection Regulation (GDPR). You’ve probably received an email from a company that you have shopped with explaining the recent changes in their privacy policy. Or, you’ve sat through a GDPR training at work, or you’re simply aware that some of the world’s largest companies with European subsidiaries need to comply with it.

GDPR went into effect in May 2018 and not only impacted businesses in the EU, but also globally. Many companies had to change the way personal information was being collected and used while simultaneously having to meet the compliance deadline.

While the GDPR was the first of its kind and seen as a gold standard in privacy protection, it is not the only data protection regulation companies need to comply with today. The GDPR’s introduction was only the beginning. In just two years, its ripple effect caused other regulators to follow with enhanced privacy regulations. Other countries ranging from Brazil to Thailand, as well as U.S. states, such as California, have enacted or are currently working to enact their own version of the GDPR framework.

These numerous privacy regulations may present challenges for companies, namely, navigating and interpreting the patchwork of rules that vary in their obligations and breach reporting requirements. Below are some challenges companies may face in light of the current privacy regulatory environment as it continues to evolve.

To learn more about best practices for keeping abreast of changes to global privacy regulations and more about Brazil’s General Data Protection Law (LGPD) and its implications, please join the upcoming webinar at 11 a.m. EDT on Oct. 22, 2020. 

Patchwork of Data Privacy Protection Laws

The GDPR’s goal is to harmonize privacy rules across the different EU member states. However, it also inspired a patchwork of privacy laws around the world. Each is slightly or significantly different, but is modeled after the same framework.

As the regulatory environment continues to evolve rapidly, companies are struggling to keep up. GDPR sets a high level of protection for individuals, ranging from strict rules for processing personal data to granting data rights to users, including the right to be forgotten. Some countries, such as Argentina and New Zealand, are in the process of amending and implementing their own enhanced versions of data protection laws. Other areas have already enacted GDPR-inspired laws, including Brazil, Thailand, South Africa, Bahrain, Israel, Dubai, Abu Dhabi and more.

In the U.S., there is currently no all-inclusive data privacy regulation at the national level. California was the first state to follow the GDPR’s example with the enactment of the California Consumer Protection Act (CCPA) in January 2020.

While companies have had a few years getting up to speed on GDPR, they are now having to turn their attention to the growing number of new data privacy regulations taking effect worldwide. They are struggling to figure out what privacy rules apply to them and sort out the various requirements among them. For example, the type of companies these laws apply to, the type of individuals they protect and how broad or specific their definition of personal information is vary among GDPR, CCPA and Brazil’s LGPD. Thus, while many of the regulations today were originally modeled after the GDPR, their scope and applicability vary.

Meeting the Growing Requirements 

Aside from figuring out which laws they must comply with, organizations may find themselves increasingly challenged to meet the growing requirements. For example, as most of these regulations are modeled after GDPR, they often adhere to its mandatory 72-hour privacy breach reporting requirement. This may mean information expectations are high and the timeline for providing the various notifications is short.

This poses a potential challenge to companies that may be subject to regulations while attempting to maintain ongoing operations. Figuring out who has been affected, how extensive the impact has been and why it occurred, coupled with notifying the relevant data protection authority of a reportable privacy breach, all within 72 hours, may pose a challenge.

Companies may find themselves scrambling and needing to change their incident response plans and internal security tools and processes to ensure strict reporting requirements can be adequately met.

Another example of a challenge companies may face is associated with the rise of data subject rights (DSR) provisions in modern privacy laws. DSR requirements have become more prevalent around the globe as more regulators expand the rights they allocate to their citizens. DSRs predominantly gained recognition with the implementation of the GDPR when many organizations first began facing a high volume of data subject access requests (DSARs).

Other companies that may not have previously been subject to DSARs under GDPR nevertheless may find themselves facing similar requirements under the CCPA, LGPD and other privacy laws. Managing DSARs is a challenge because the rights tend to vary, as do the timeframes for responding.

Constant Uncertainty about Transferring Data

Another challenge revolves around the constant uncertainty companies face regarding their ability to transfer data between the EU and the U.S. The most recent example is the judgment of the European Court of Justice invalidating the Privacy Shield, which was the transatlantic agreement used by more than 5,000 companies to transfer data between the EU and the U.S. Since this ruling, many companies have relied on standard contractual clauses found in their individual legal agreements for transfers like this. The validity of those, however, are being called into question. The court has suggested EU citizens may need additional safeguards to make sure their data is protected up to GDPR standards.

The potential repercussions if the legitimacy of standard contract clauses is invalidated could be significant for companies whose operations rely on them. Information is still being issued on what changes might be necessary to make standard contractual clauses acceptable to EU authorities. Meanwhile, companies of all sizes hope to gain some clarity and guidance as they navigate the patchwork of privacy laws.

A Proactive Approach for GDPR Compliance and Beyond

Companies have an enormous incentive to comply with new privacy laws, as the failure to do so could expose them to significant fines, penalties and reputational damage. A proactive approach can be instrumental in handling the growing number of privacy regulations and the various obligations and requirements companies may be subject to today. A good example is Brazil’s LGPD, which unexpectedly went into effect after uncertainty over its effective date and potential delay. Global companies that decided to take a more proactive approach in incorporating its requirements into their privacy frameworks should be well prepared.