Complying with Multiple Privacy Laws

Linda Brust , Tracy Bordignon


March 1, 2021

Worldwide, more than 130 different jurisdictions have introduced data privacy or data protection laws and regulations, a number that has steadily risen since enactment of the General Data Protection Regulation (GDPR) in 2018. Today, most organizations must contend with a variety of these laws, all of which have different sets of requirements and penalties to consider. All signs indicate that these regulations will continue to grow in scope, severity and complexity in the coming years. By extension, managing compliance will be increasingly difficult, especially as most organizations are attempting to do so via different, perhaps even individual programs.

A siloed approach to privacy by jurisdiction or business unit may be manageable for corporations that are regulated only by the GDPR or the California Consumer Privacy Act (CCPA), but it is increasingly rare for any enterprise to fall under just one data privacy law. In the United States, federal data privacy legislation likely remains a long way off, and states have started taking the matter into their own lawmaking hands, creating multiple regulations to navigate even within the country.

Even with 18 months to prepare before the GDPR was enacted, and more than two years since it went into effect, many companies are still struggling to fully comply. Privacy offices are often inadequately staffed or led by in-house counsel who are not exclusively focused on privacy compliance. Moreover, corporate data landscapes can have dozens or hundreds of repositories where potentially privacy-regulated information is collected, processed, shared and stored. Navigating this vast data footprint with limited resources and governing it per a complicated array of regulations can require a Herculean effort few organizations have managed to fully accomplish.

Another interesting development has been the U.S. Department of Defense’s new Cybersecurity Maturity Model Certification (CMMC) program, which went into effect in January. The government began to include CMMC requirements in requests for information starting in June 2020. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract awards. This program established a stringent set of requirements for how government contractors handle controlled unclassified information (CUI), an umbrella term that applies to any government information deemed sensitive and in need of safeguarding. The CMMC rules have implications for all companies that rely on government contracts for revenue, and has emerged as another privacy-related statute that requires additional expense for organizations trying to prioritize compliance efforts for their business. 

Organizations should leverage the lessons learned from one region’s or regulation’s data privacy program to create a holistic approach that fulfills all of the needs and requirements for every other region in which the business operates. With one program that takes into account all relevant regulations and is built to grow with the business, an organization will be much better positioned to maintain compliance as laws change and can reduce the overall cost to do so. The general best practice is to aim for compliance under the most stringent standard possible. While existing privacy frameworks such as that of the National Institute of Standards and Technology (NIST) can be used, privacy teams can also take the following steps to begin building a holistic, flexible program:

  1. Assess technology tools for basic compliance processes. Privacy teams need technology to support a wide range of critical activities, including data mapping and automating governance protocols. Managing data subject access requests (DSARs) and other privacy subject rights—which are key aspects of GDPR and CCPA—also requires technology platforms that can automate and help facilitate some of the most burdensome steps. It is important for privacy teams to be equipped with the resources and support they need to implement technology.
  2. Review privacy notices. Privacy disclosures to external parties about how the company collects, processes and shares data are an important foundation of any privacy program. Regulations may have unique guidelines for privacy notices, so the safest route is to ensure notices stand up to the strictest set of rules. It is also critical to ensure the practices are disclosed accurately and completely reflect actions throughout the organization and that the enterprise sticks to the activity disclosed. There have already been instances of GDPR violations involving gaps between what a company says it is doing in its privacy notices and what is actually happening in back-end processes. 
  3. Maintain a detailed inventory. It is critical to map every system that generates or interacts with personally identifiable information or personal data (and in the case of the CMMC, controlled unclassified information) and understand the processes and data flows around those systems, including when it is shared with third parties. This is a key step in being able to respond to DSARs and documenting compliance in the event of a regulatory inquiry. Even for companies that are not currently subject to a privacy law that requires a data map, keeping one is important for informing the broader data landscape and enabling holistic governance.
  4. Provide training specific to all, especially affected business units. The CCPA specifically calls for training employees that will be involved in responding to DSARs, and employees in business units that conduct activities that may be directly related to CCPA compliance, such as sales and marketing. Training may need to be refreshed or repeated when new regulations or amendments are added, but having a foundation in place will make it much easier to launch and execute new training and awareness programs and to do so within mandated deadlines. All of these efforts will support widespread awareness among employees, which is another important element in maintaining strong compliance practices.

With new privacy laws on the horizon, being proactive about the complex data privacy regulation landscape and getting a comprehensive program in place to follow the most stringent current rules will create a healthier and more efficient privacy program. As we have seen with organizations ramping up for GDPR, CCPA and other privacy laws, the time needed for operationalizing measures to meet the requirements depends on the maturity and sophistication of the existing privacy program. Staying ahead of the curve will help mitigate cost and risk; ensure timely preparedness and resource allocation; and reinforce trust with customers, partners and employees in the process.

Linda Brust is a director in the information governance, privacy and security practice of FTI Consulting’s technology segment.
Tracy Bordignon is a director in the information governance, privacy and security practice of FTI Consulting’s technology segment.