I’m thrilled to interview K Royal, Senior Director, Western Region, Privacy, at TrustArc. K has had a long career in privacy law, having served as privacy counsel for several companies. She’s also an adjunct professor at Arizona State University.
Prof Solove: What is the need for a multi-jurisdictional approach to privacy laws?
K Royal: With the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other laws such as the Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), businesses must be prepared to comply with a variety of laws around the world.
Privacy is a complex, multi-level, comprehensive concept which is now being regulated in more than 130 countries with more than 500 privacy laws. To be successful in complying with so many laws, businesses must develop a multi-jurisdictional approach to privacy laws that is consistent and predictable yet also not one-size-fits-all.
Prof Solove: Can a company just set one high bar and just treat all personal data the same?
K Royal: Yes, a company can set a high bar and treat all personal data the same, but a company might have a significant business advantage if it treats a particular country’s personal data differently than it does another country’s data where the requirements differ. If all data is treated the same, then nuances may get missed in different laws, which may require specific management for certain types of data. But a big challenge is that managing all data according to localized requirements is hard to sustain over time.
Prof Solove: So, what can companies do?
K Royal: A company would need to take one of two approaches to be successful. The first option is to set a single high-bar privacy program based on a strong regime like the GDPR and then make a robust number of exceptions. The second approach is a multi-jurisdictional custom approach where a company designs its own internal policy for data protection with localized activities.
The key to success for either approach is having a knowledgeable professional with the right tools and the authority to design and manage a program properly taking into account the business appetite for risk and the regulatory environment in which the company operates.
The days of managing privacy with spreadsheets and pen and paper are over for all but the most minimal of programs.
To go beyond a simple one-size-fits all approach, a privacy professional must have a strong understanding of the many different privacy laws of relevant jurisdictions. Key areas of difference to focus on include what constitutes sensitive data, limits on automated data processing, legitimate bases for processing data, and the rules of consent, among other things. Privacy professionals must know how various laws address these important issues and then operationalize them across the company.
Prof Solove: What does a company need to make its global privacy program a success?
K Royal: A successful privacy program starts with people. Privacy professionals must have the knowledge and experience to understand the different requirements of different jurisdictions as well as have a deep understanding of their companies. There are resources to help privacy professionals learn about different privacy laws.
Privacy must extend beyond the privacy professionals. Privacy should be embedded throughout the organization.
The education and awareness components of a privacy program are substantial. People who touch personal data on any level need to understand their responsibilities when it comes to that personal data and know when to consult the privacy professionals.
Prof Solove: What advice would you give to privacy professionals to deal with the privacy laws of many different jurisdictions?
- Subscribe to a trusted resource for updates – or a few. Do not subscribe to a lot; it can get overwhelming and confusing.
- Invest in professional development. The privacy field moves quickly and involvement in conferences, webinars, published articles will help you stay current.
- Make sure you are connected throughout the company and are aware of questions, assumptions, projects, and changes.
- Learn how to speak with authority on technology and security.
Thanks, K, for your helpful insights!
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.