Originally published in NAVEX Global's Top 10 Risk & Compliance Trends for 2021 eBook. You can download the full eBook here.
When it comes to data privacy law, change is the only constant. The global pandemic unleashed a new set of risks related to data privacy that companies will have to confront in 2021. But despite the COVID chaos, data privacy regulations around the world are becoming more strict, more prolific, and more stringently enforced.
In the coming year, we predict that organizations, especially those with global operations, may find that a single, comprehensive approach to data privacy in order to operate in this increasingly complex environment, the better and most risk-averse approach.
What are the biggest questions being asked in the privacy community? What else does the future hold? Dr. Tobias Schelinski, German partner at the international law firm Taylor-Wessing, and Jessica Wilburn, Data Privacy Officer and Senior Counsel at NAVEX Global, offer global perspectives and bold predictions around the trend toward complexity around data privacy laws.
What is the Biggest Threat to Organizations?
Tobias: In the European Union, we will see many more consumers making use of their data protection rights granted under the GDPR and local data protection laws. This will include an increase in damage compensation claims. You could say that privacy law will be the new consumer protection law.
Jessica: I expect this to be a global trend. California residents under the newly passed CPRA (amending and expanding the current CCPA), and Brazilians under the new General Data Protection Law, are just two recent examples of newly established data subject rights.
Data privacy regulations around the world are becoming more strict, more prolific, and more stringently enforced. Organizations will need to establish a single, one-size-fits-all approach to data privacy, in order to operate in an increasingly complex environment.
Data privacy is in place to protect people. It’s fair to want to know the biggest threats and tools to combat them; but if you implement privacy principles (transparency and accountability are key principles) across your organization and make it a critical part of your culture, the rest follows easily. Managing data subject rights should be at the forefront of your privacy program.
Consumers will demand transparency and start exercising their access rights. Spikes in data subject requests have already increased over the last several months.
Tobias: There are several reasons why privacy law has become more popular for consumers lately and will continue to be. The 2020 Schrems II decision of the Court of Justice of the European Union caused significant privacy awareness. Consumers are beginning to realize that they just need to send a GDPR-related request to the company via email, and the company must “obey,” and respond to their requests in time. On the other hand, disputes based on consumer protection law are complicated, usually require a lawyer, and often are not justified from a legal perspective.
Jessica: I agree! Privacy in the news, new laws in the United States, and global tension created by the Schrems II decision have merged to form a privacy awareness campaign.
What Will 2021 Bring for Data Subject Requests?
Tobias: Companies with a large consumer customer base in the European Union should be prepared for a second wave of GDPR-related requests, particularly damage compensation claims. More than ever, it will be important to have and maintain appropriate internal processes and have technology in place to handle such requests and claims.
Jessica: Responding to data subject requests can be very complicated. Thus, it’s critical to have streamlined processes and procedures in place to the extent possible.
To implement and leverage processes and technologies, it will be necessary to become a master of the personal-data process. I expect we will continue to see a rise in data subject request tools and automation, such as the use of contact centers and secure web portals with backend software, to manage these requests.
How Do You Align Privacy Approaches to Ensure Global Compliance?
Jessica: I expect many companies will start taking a single, comprehensive approach to data subject rights. In my opinion, the countries (and states) that have data subject rights in their legislation are all similar. If you operate a global business, it may be best to provide rights to everyone, rather than trying to work out the requirements on a case-by-case basis. New local data-privacy laws are emerging on a fast-paced and consistent basis.
Generally, global compliance with privacy laws is always the burning question. If you are subject to GDPR (or even if you’re not), the E.U. requirements are a leader in this space and a good starting point.
Tobias: Yes, the advantage of an E.U.-driven approach is that you can rely on best practices and high standards that are accepted around the world. At some point, however, fast-growing or multinational companies will have to comply with different local privacy laws.
Free Download: International Data Privacy Toolkit
What’s the Outlook on Future New Regulations?
Tobias: The challenge for companies to comply with different privacy law regimes will increase in 2021, as new privacy laws will come into force in several countries, for example in Switzerland.
Jessica: 2020 brought us California’s CPRA (CCPA 2.0), Brazil’s General Data Protection Law, the Schrems II decision impacting international transfers, and the list goes on. We expect 2021 to be no different. It will be interesting to see what happens in the United States. Will the CPRA push along federal privacy legislation? Will other states pass comprehensive privacy laws in line with California? Having a “patchwork” of requirements across the states is likely to counteract what privacy laws are designed to protect (people).
Tobias: In the European Union, we will have to deal with privacy issues relating to Brexit; the question is whether the UK will be recognized as having a privacy law regime that is adequate to GDPR. New regulations from China are coming as well. It will also be interesting to see how companies implement the new Standard Contractual Clauses for data transfer to recipients outside the European Union. And who knows ... maybe the ePrivacy Regulation will finally come into force (with more than three years’ delay!).
Steps for Organizations to Take
1. Establish Efficient, Automated Processes for Responding to Data Requests
Individuals are becoming more aware of their rights and are exercising them. Depending on the context, the employment context by way of example, fulfilling and responding to requests can be complex and chaotic. This will increase in the coming months. We expect to continue to see a rise in technology solutions and automation in this space.
2. Consider Local and Global Data Privacy Regulations
Legal and compliance professionals have been focused on the E.U., but there are many other laws around the world. Shifting your privacy program to a global outlook, versus focusing on individual country compliance, will better prepare organizations in the long run. It may be easier to treat everyone the same (individuals and countries) to the extent possible, which will track back to your data inventory and records of data processing activities.
3. Use GDPR as a Starting Point for a Universal Data Privacy Program
Leverage the GDPR, as the leader in the space, as a helpful starting point. You’ll find you may not have to reinvent the wheel for your operations in other countries. Regulators will appreciate a comprehensive approach to respecting individuals’ rights to their personal data, especially if you do business in different countries.
Organizations should focus on minimizing risk and limiting exposure. To do this, you need to create living and breathing data inventories with policies and procedures formalized throughout the organization.
Continuous assessments of new and existing data processing activities will be critical when managing privacy in your business on a global scale in 2021 and beyond.