Managing Personal Data in a Fluid Regulatory Environment
Privacy and personal data have been a hot topic recently with the European Union’s General Data Protection Regulation (GDPR) just over one year away and impacting essentially all of our customers in one form or another. On top of that the course being established by the new administration has created a level of uncertainty as to how regulations will be enforced – or not. The recent move to halt the implementation of the Federal Communications Commission’s rule: "Protecting the Privacy of Customers of Broadband and Other Telecommunication Services," 81 Fed. Reg. 87274; is sure to unsettle regulators in other countries. They have to be asking, can the information belonging to their citizens be safe if it handled by a US company?
At some level this might be considered a question of optics. As things are currently structured, US companies can opt into the Privacy Shield, and use this as a “Safe Harbor” when dealing with data originating within the European Union. However, the same challenges that were the downfall of the previous Safe Harbor regulation still exist with Privacy Shield. In a recent IAPP meeting in Baltimore much of the discussion was spent on how companies are using Model Contract Clauses to back up Privacy Shield. Is Privacy Shield something that companies put on their web site to keep the public if not the lawyers happy?
The above situation would be vexing for a corporation’s risk team if that was all they were addressing. However, if you layer in the privacy regulations that are in play around the world: Korea, Philippines, Japan, China and Russia to name a few; and then add the questions that surround how big data and the Internet of Things are going to handle privacy the challenge becomes a little overwhelming.
Given the lack of clarity and fluidity, what is a company to do? Many of the privacy regulations require companies to have a relatively mature data management environment that ensures data is managed in a consistent, observable and measurable manner across the organization and often between organizations. The key will be implementing best practices that are recognized as such by third parties, and doing it within a systemically enabled environment that applies data management – quality and governance – as a process discipline. In a world where evolving legislation has yet to be tested in court, the companies with demonstrable due diligence are best positioned to avoid the ire of the regulators as they seek to ensure that the May 2018 implementation of GDPR is taken seriously.
Check out the recent Forrester Research publication, Enhance Your Data Governance to Meet New Privacy Mandates, which I contributed to for additional context on GDPR obligations and the impact to data governance.