How to optimize privacy programs across multiple jurisdictions

One of the many benefits of the maturation of the field of privacy is year-on-year research into how organizations structure their privacy programs, what work those programs do, and how they tackle global privacy compliance.

These ongoing studies provide us with some interesting trend information, and one of the most fascinating trends answers the question of how large organizations tackle the complex world of multiple jurisdictional compliance.

The most recent International Association of Privacy Professionals (IAPP) study along these lines suggests that most large corporations that have the need to address privacy across multiple jurisdictions do so by addressing standards and processes at the global level first, while leaving room for local variations as needed.

This strategy makes sense, as multiple jurisdictions bring incredible complexity, so a multinational program must both build in as much consistency and efficiency as possible, while still allowing for country- or state/provincial-specific requirements. However, this global-first strategy may not be right for all organizations.

Regardless of an organization’s unique situation, there are steps that an organization can take to identify the optimal structure for handling complex privacy requirements.

1. Understand local requirements, commonalities, and differences
2. Build a comprehensive privacy framework
3. Implement an aligned Privacy by Design approach
4. Train and build awareness
5. Control and monitor

1. Understand local requirements, commonalities, and differences

The first step to any compliance program – privacy or otherwise – is to deeply understand what are the requirements that apply to which company entities. When gathering a set of requirements, it may be useful to chart these requirements according to geography, corporate entity, and activity.

Remember to identify not only general privacy laws, but also any sector-specific and activity-specific ones, including marketing and children’s privacy laws. Additionally, it may be useful to categorize requirements into privacy principle ‘buckets’ to help organize complicated information.

For example, many of the United States’ State general privacy laws include notice requirements, so organizing these portions of the rules under a general “Notice” category can help simply later analysis.

Finally, noting which requirements are the same and different will be helpful. Also noting the business impact (high, medium, low) for each requirement, especially those that are different across localities, will be helpful for the next step.

2. Build a comprehensive privacy framework

Once the organization understands its requirements, it can first review requirements that apply across the globe. These requirements may be easiest to address at a centralized global level, solving once for the entire organization. Even if implementation may need to occur at the local level, the global organization can set standards and provide tools that help increase efficiency.

Some differences in requirements also may be equally easy to handle at a global level. There are many requirements that may not apply in all countries but do apply in most countries and/or are not an onerous obligation. In these cases, the organization may wish to establish global obligations, even in countries without that obligation. Though there may be some slight decrease in flexibility for the country in question, often the efficiencies and consistency gained far outweigh that cost to flexibility.

However, there may be some outlier requirements that are either very uncommon across localities, or that significantly negatively impact the organization. In other words, some requirements may be so onerous or impacting to business needs that implementation in countries without that explicit requirement does not make sense. In these cases, it may be most useful to establish country/province/state-specific standards that only apply to those localities in question.

In this way, an organization may be able to establish a global set of standards based on the maximum common denominator across jurisdictions. Alternatively, this approach may result in a global strategy with a few local exceptions or even a country-by-country set of standards. Regardless of the result, doing the diligence of prioritizing efficiency versus flexibility will establish a clear and reasoned approach to global compliance.

3. Implement an aligned Privacy by Design approach

Once there is a thoughtful strategy of how to balance around-the-world requirements in an efficient and effective way, an organization can create and implement a Privacy by Design program that fits within that strategy.

For example, an organization that sets global standards that addresses all or most global requirements may establish a Privacy by Design program centrally that addresses all or most requirements. However, an organization that requires a country-by-country approach may only establish a consistent process, with each country responsible for applying local requirements within the Privacy by Design process. Whichever approach works best, the list of requirements will be useful input into a right-sized Privacy by Design program.

4. Train and build awareness

Even the best program cannot succeed without stakeholder support, and support requires education and awareness. Regular and consistent communications and training will help any program, regardless of design. It may also be useful to consider what types of feedback loops are appropriate – funneling constructive feedback to the team for consideration.

5. Control and monitor

Another fabulous use of the list of requirements is to determine which controls should be in place, which should be monitored, and how. A more centralized and global orientation towards requirements may lead to a more centralized and global approach to controls and monitoring.

A more localized approach towards handling requirements may lend itself to a more localized approach to controls and monitoring. Alternatively, some organizations worry about bias in control and monitoring activities and so place those responsibilities outside of the groups responsible for implementing daily work.

These organizations may centralize controls and monitoring activities at the global level if implementation is at the local level, or vice versa. Regardless, establishing a strong set of controls and monitoring activities is essential for a healthy, sustainable program.

Final thoughts…

In summary, though research shows a trend towards global organizations handling privacy standards and activities globally with the potential for local variances, each company must determine for itself how it wants to handle the complexity of multiple jurisdictions in privacy. The five steps above can help structure that internal conversation and lead to a sound, business-supporting structure.