Hot questions in this board:
Hot questions in other boards:
European GDPR impact to international governance
With the impending EU General Data Protection Regulation (GDPR), international corporations face new demands on privacy protection requirements. However, bigger concerns could surface if a diverse regulatory environment promulgates where other countries begin to follow with divergent regulations and an expansive reach of jurisdiction with new monitary threats. How will international corporations succesfully balance regulations, fidiciary astuteness and multinational development?
A valid and growing concern. My recommendation for such organizations is to, first, keep things as simple as possible, and second, to employ somewhat heirarchical approach to complying with these regulations.
Protection of privacy, seemingly regardless of the national/legal context, rests on a nearly uniform set of principles (OECD). What I have found is that various jurisdictions add conditions and requirements (mostly procedural) to suit their specific purposes, but the essential principles remain untouched. One thing appears as a constant: any jurisdiction receiving covered information from an EU source must at minimum treat said information to be as secure/private at the destination as it was at its EU origin. That being so, I recommend the following:
- Assuming you are using the GDPR as the primary source (it will likely be the most comprehensive of the regulations), evaluate the other such regulations and compare them to the GDPR;
- The comparison should assess whether the specific reg differs from the GDPR in essentials or mechanics only;
- If there are fundamental differences, in general an organization's policy should reflect the more stringent set of requirements, taking care to assure that the less stringent sources are fully contained within the selected "more stringent" one;
- If the differences are mechanical only, such as in notification or documentation processes and products, then the implementing procedures should reflect these differences in the required workflows.
These considerations are tedious and costly necessities that each business opearting in these areas much undertake to ensure they are not at risk themselves of violating local regulations. As such, they are certainly not optional.
Companies outside the EU have to comply with the GDPR if they conduct business inside this region. First of all, no reason to panic, as most organizations already have rules & regulations regarding the handing of information in place.
The new law should not be perceived as a threat, but as opportunity to strenghten internal processes. If a company actually is not complying with the new law, it is now the time to update the processes. Not only to comply with the law, but more important, protect its most valued resources: information. For most of the global companies, the GDPR does not have bigger consequences, but the implemention of additinal documentations; which personal information got used for which reason.
Information, which is not needed anymore should get deleted. Again, important also without the law, as information, which is not stored anymore, cannot get stolen or misused.