As companies aim to keep pace with an ever-expanding privacy regime, the question of how they should meet new privacy compliance requirements is a hot topic. Privacy managers and counsel are faced with the following options: Should they apply a uniform standard across all jurisdictions, adopt an individualized approach to each jurisdiction or adopt a combination of standard practices with a “lift, shift and drop” for individual requirements?
Why is a uniform approach difficult?
While a uniform approach may present economies of scale at first glance, practitioners posit this is not the case due to continuous changes in the law and the fluid nature of data flows. Given the pace of development in the former, businesses are now required to allocate different resources to track whether new laws govern their data flows.
Arguably, the privacy landscape is a complex one because it is multijurisdictional. As data is collected and transmitted across several borders, the rights and obligations of different stakeholders are governed by laws of more than a single jurisdiction. Before the EU General Data Protection Regulation, establishments in the United States looked at federal privacy rules related to the subject matter of their businesses (with specific attention to financial, medical and children’s privacy) and legislation in the states where they had a presence.
The GDPR shifted focus to the data subject by extending its territorial scope to U.S. companies and organizations that controlled or processed data of EU residents, requiring these entities pay special attention to the geographic location of their data subjects. Enforceable standards for data processing, data subject rights, security breaches and international transfers were introduced. As many U.S. companies made changes to adhere to these standards, they were required to review their privacy policies again t ..
Support the originator by clicking the read the rest link below.
