Global privacy regulations have evolved enormously in recent years. The reason: the importance and the need for companies to respect certain rules in order to preserve the integrity of privacy.
However, in a globalized economy, companies wishing to grow can no longer simply remain confined to the regulations of their country, especially when their activities cross borders. So, while the cloud has enabled the expansion of business activities, it has also complicated the issue of data privacy. These are now easily moved from one continent to another, passing through different servers, in regions of the world where the regulations are different.
So this patchwork of cloud services and regulations perfectly defines the impossibility of meeting all privacy requirements. However, there is a way, not always easy, to facilitate data storage compliance: the GDPR.
The advantages of a harmonized privacy policy
This regulation, which celebrates its 5th anniversary this year (already!), has become the highest standard of data privacy legislation in the world, and the majority has been codified in the international standard ISO 27701. The Union European Union takes this so seriously that in 2020, the Schrems II ruling invalidated the Privacy Shield, the international agreement that allowed companies to export data to the United States. Under the GDPR, transfers outside the EU are now prohibited unless adequate safeguards are provided. However, according to a recent study conducted on French marketing professionals by Dékuple, 90% of respondents indicated that their data compliance projects remain a priority today. The reasons for such a delay in implementation are multiple, but we think in particular of the complexity of the implementation, requiring multiple expertise and changes in internal processes. But we can also mention the succession of recent crises, which have shaken up the agenda of companies.
Increasingly aware of the value of their data, and of the different ways in which it can be used (and sometimes even manipulated), individuals are now choosing not to share it anymore. So making data privacy a core value for your business is no longer an option. According to the latest Cisco study published in 2023 (Data Privacy Benchmark), 96% of French people think that companies still need to do more today to reassure them about the use made of their data. And beyond the ethical considerations, better privacy also becomes a commercial asset, making it possible to considerably improve the data collected. In fact, 78% of French companies claim to derive significant benefits from their investments in privacy protection.
By adopting this level of compliance in all the countries where you operate today, your company can boast of maintaining the highest level of data protection requirements, without exception. From a legal point of view, this also allows it to gain in execution time and in simplicity, since the regulations serve as a model for other countries, which are gradually adopting new, increasingly drastic laws in terms of confidentiality.
GDPR, everywhere, all the time
But what does this strategy look like in practice? Consider the GDPR as a global standard and apply it internally, for each country and each of your subsidiaries. By complying with this (admittedly) demanding standard, you will easily comply with all the new standards that are likely to emerge. A significant efficiency gain thanks to this more universal approach, which has the advantage of being the most respectful of users’ privacy.
Of course, the GDPR does not adapt to all situations, and some companies may have to use a non-compliant supplier. Take this example: a supplier in the United States only processes personal data of American citizens. Technically, the rules don’t apply here. But not applying it also means a shortfall in the bond of trust that the company weaves with its customers. Making exceptions means creating new processes and may imply to your customers that privacy is not a priority. But if it is absolutely necessary to use a non-GDPR compliant provider, anticipate and document everything. Create an additional measures assessment, perform a full vendor privacy and security audit, and put action plans in place to replace the vendor with a compliant one. Finally get a written risk exception signature from your management. Think of this last piece as an important paper trail that proves the company recognizes and accepts this risk.
Once a company has adopted a privacy-centric approach, it shouldn’t stop there. It is indeed important to remain attentive and to observe market developments and trends. Because beyond the GDPR, the European Union is already shaping the digital future of Europe and the use of data with the “Data Governance Act”, a new regulation whose effects will come into force in September 2023. objective: to establish “a comprehensive approach to the data-driven economy which aims to increase the use of and demand for data and data-driven products and services across the single market” (European Commission ). A very different approach from the United States, where data management is generally left to the private sector, and therefore requires additional safeguards and inspections. By not only being up-to-date with regulations, but also anticipating them, companies can make privacy compliance a real differentiator.