6 minute read 4 May 2021
Woman stretching in a track and field stadium

How to prepare for global data compliance

By EY Global

Ernst & Young Global Ltd.

6 minute read 4 May 2021

As organizations scramble to comply with GDPR, local regulations have sprung up with their own versions of data privacy and protection laws.

In brief
  • Many local regulations are designed to be equal to the standards required by GDPR.
  • These local regulations may complicate things further for organizations as they try to comply with GDPR. 
  • Non-compliance with GDPR and these local regulations can mean hefty fines for companies.

In May of 2018, the European Union enacted the General Data Protection Regulation (GDPR). To date, over 500 actions have been taken against non-compliant companies, and over €260 million in fines have been levied. GDPR compliance is projected to cost Fortune 500 companies almost $8 billion each year. 

Now, over 100 jurisdictions—countries, states and cities—are enacting their own data privacy laws. These “local GDPRs” will add up to a global maze of legal obligations that will disrupt the operations of virtually any global company that touches a consumer. It is like a second set of tax codes — high costs, high risk, complex execution, and where absolute non-compliance is not an option.

GDPR was a challenge for many companies. Now over 100 GDPRs are springing up in jurisdictions around the world. These add up to a complex and high-cost compliance challenge for global companies.

What is data protection and privacy?

For most of the Internet’s history, customer data was managed through agreements between the online company and its customers. But countries, states and cities are stepping in to protect their citizens with data privacy laws. While each jurisdiction’s law is different, here are some common provisions:

  1. Customer permission — The customer must give specific permission (opt-in) before data can be used or provided to 3rd parties.
  2. Data minimization — Companies can only collect data that is directly related to the app or service — and no more.
  3. Right to be forgotten — Customers have a right to have their data identified and deleted at a specified time upon request.
  4. Transparency — Consumers have a right to know what is being collected and how it is being used.
  5. Accuracy — Information must be kept up to date and accurate, according to strict standards.
  6. Data localization — Customer data, whether captured from within or outside the jurisdiction, must be stored and processed on in-country infrastructure.
  7. Security — Data must be kept at a defined standard of security, and customers are to be rapidly notified of breaches.
  8. Chief privacy officer — Some jurisdictions require a CPO to take responsibility for breaches and compliance.

Data privacy laws apply to any company that collects data on their citizens — whether the firm operates within or outside of the jurisdiction. Compliance further applies to firms that process and store other companies’ consumer data — for example, cloud service providers or many Software as a Service companies. The rule of thumb is if you collect customer data, assume you operate under data protection and privacy (DPP) laws.

One size does not fit all

Most DPP laws have a common basis in the European Union’s GDPR. But as the following table shows, there are significant differences—in legal definitions, infrastructure requirements, compliance paths—that require jurisdiction-specific solutions.

Legal provision table

An example is the protection of underage consumers — a particular concern for video games, entertainment, and retail companies. Local laws create different obligations around the age of consent, ability to sign contracts, and special protection of data with high reputational risk in the event of a failure.

The result is that one size does not fit all any longer — multi-national companies will need to architect and customize their DPP program to meet the needs of individual jurisdictions. 

What does compliance mean to the firm’s operations?

DPP compliance is not just a matter of legal interpretation — it drives deep into the firm’s processes. The following captures just some of the burden placed on global organizations:

DPP compliance table

The most visible impact is higher costs, such as running redundant, under-utilized servers in dozens of countries. The second is the extensive management time commitment — time taken away from the core business — to manage these complex operations. The third is performance risk — it is very easy to fall out of compliance with dozens of fast-changing laws. The final is compliance reporting — a critical path requiring local resources and expertise. 

What are the penalties for non-compliance?

The penalties are stiff. The GDRP sets the standard at a maximum of 4% of annual revenues — and has levied fines as high as a whopping $238 million. Furthermore, as enforcement becomes more established, the number and size of fines are increasing.

GDPR fines graph

But the highest risk may not be regulatory. The implementation of these legal standards creates the basis for individual and class-action lawsuits. In addition, the reputational risk—widespread publicity over failure to protect citizens—could be exceptionally serious in data protection.

What should organizations do?

  1. Countries and states are enacting these laws and stepping up enforcement. There should be a sense of urgency by CIOs, CISOs, and CDOs in bringing their firm into compliance.
  2. Conduct an emergency inventory of compliance: Given the rapid emergence of these complex laws, it is very possible that your firm is currently out of compliance and open to civil action or prosecution. Screen for potential violations, prioritize them, and conduct compliance triage to first manage the most dangerous violations.
  3. Establish a global compliance monitoring system. DPP laws are changing rapidly and without warning. Establish a regulatory intelligence function to make sure you are always up to date. 
  4. Be prepared to rearchitect your data collection and management architectures. Changes may be required in how you collect, store and retrieve data on command.
  5. Be prepared to restructure your global IT infrastructure according to different data localization requirements. 
  6. Start to build out an in-country data protection presence. Legal interpretation, infrastructure management, and compliance processes will require local presence and resources. Warning — such talent can be scarce.
  7. Seize the upside of compliance and trusted data. Don’t just focus on compliance but also understand the revenue and cost-saving opportunities when customers trust you with their data. See our article The Upside of Trusted Data.

In closing – The new tax code?

An instructive way to think about data privacy is that it is the equivalent of a new tax code. It is highly complex and requires expert domain knowledge. It is costly in both personnel and infrastructure. The penalties are severe and becoming more rigorously enforced. Compliance is not optional — DPP is the law of the lands.

To be clear, data privacy does not have the complexity of tax codes. But in some ways, DPP can be more challenging than tax compliance. It may require more disruption of current processes and technology infrastructure. And the penalties — especially risks to the brand and customer relationships — may be even more severe.

But the final similarity is that both are not optional. Companies must move quickly to comply — to protect their brands, the local standing and the enterprise’s customers.

Summary

Despite the challenges, companies will need to come into compliance with multi-jurisdictional, complex data protection and privacy laws.

About this article

By EY Global

Ernst & Young Global Ltd.