Companies faced with meeting the requirements of the General Data Protection Regulation face a complex task. For businesses with limited grounding in data protection, understanding the law, mapping data, conducting risk assessment and mitigation, developing policies and protocols to govern data privacy and producing necessary documentation represents a significant investment of time and resources. Even for companies with data governance programs in place, reviewing those programs to ensure they meet the obligation of the GDPR and making necessary adjustments is a significant undertaking.
But it’s important to recognize that the steps a company takes toward GDPR compliance will yield benefits in jurisdictions well beyond the European Union. Since its adoption in 2016, the GDPR has served as a model for governments around the world as they have established their own data protection regimes. The essential elements of the GDPR – the requirements to honor individuals’ rights in their data; to train employees about their responsibilities with respect to privacy; to conduct data protection impact assessments to understand the risk processing poses for individuals; and to be prepared to demonstrate for regulators the decisions it makes about data processing – are reflected in laws in countries in Asia, South America, and Africa. And any legislation to be enacted in the United States likely will also include these key obligations.
Companies in compliance with the GDPR will have already done the foundational work necessary to comply in these countries and regions. While some variation in the laws globally is inevitable, the basis for compliance will already be established.
This work benefits companies in three ways: First, companies that establish an internal privacy program as articulated in the GDPR positions them to meet the obligations of emerging laws around the world — and therefore prepares them to enter new markets.
Second, companies that establish GDPR compliance position themselves as sought-after vendors. Increasingly, companies engaging third parties to store and process data include in their contract provisions requiring that vendors are able to meet the obligations to protect and secure data. Businesses prepared to immediately enter into such agreements – without needing time to meet requirements – will enjoy a competitive advantage over those that are not.
Finally, potential business partners also seek these assurances. Companies understand that sharing data with business partners can expose them to legal risk and potential compromise to brand and reputation. GDPR-compliant companies will be recognized as having taken steps that establish them as trusted partners that are knowledgeable about data and will protect it appropriately.
The GDPR’s influence on data protection law leverages a company’s efforts to comply. The steps a business takes to meet the obligations of the GDPR will ease its compliance burden in other countries and regions, and distinguish it as one prepared for opportunities in the global market.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.