To protect the privacy of their citizens’ personal data, governments around the world are enacting ever-more-stringent regulations on companies that collect and use personal data. For businesses with international operations, ensuring compliance with applicable laws on a country-by-country basis can be incredibly resource-intensive, complicated and duplicative.
It doesn’t have to be this way, however, as we’re learning at Robert Half, largely as a result of our company’s efforts to comply with the European Union’s (EU) General Data Privacy Regulation. By looking at the various data privacy laws holistically, instead of at a micro level, companies that conduct business in multiple geographies can create a more structured, efficient and manageable compliance initiative.
Organizations that meet the GDPR’s requirements will be well on their way to meeting other data privacy laws around the globe. That’s because those laws are either less exacting than the GDPR or are derived from the regulation. The key provisions in Brazil’s new General Data Privacy Law, as an example, are very similar to the GDPR, including significant extraterritorial application and hefty fines.
"It is critical for companies to keep detailed records of past projects that are easily accessible for future data privacy compliance initiatives and to respond to audits or inquiries from data privacy authorities"
That said, it wasn’t until our company was well underway with our GDPR compliance work that we recognized we had an opportunity to make data privacy compliance easier for our business overall. Here is a description of our experience at Robert Half in the form of four strategies other businesses can consider using to develop a holistic approach to data privacy compliance.
1. Involve key executives
At the outset of our GDPR remediation project, we established not only a global task committee, but also a Global Senior Executive Steering Committee. We did so because, given the size and importance of the GDPR project and the fact that it impacted every department in our company, we felt that we needed senior executives to be directly and actively involved in the remediation process.
Creating a global senior executive committee is critical to moving these compliance initiatives forward because it leads to quicker, uniformed decision-making and expedites the process of securing funding.
The second committee, a global task force, is responsible for implementing the decisions made by the global senior executive committee.
This approach has been so successful for our GDPR compliance project that we are now using the same model for an increasing number of our global data compliance initiatives at Robert Half. We have transformed the GDPR committees into an overall data privacy committee that meets at least quarterly. Like the GDPR committee, the data privacy committee includes our company’s chief administrative officer, and representatives from human resources, IT, legal, marketing and the Robert Half and Protiviti (a global consulting firm and our wholly owned subsidiary) staffing and consulting teams. We recommend this step for other organizations desiring to streamline their compliance efforts across multiple countries.
2. Create an inventory of all applicable data privacy laws
After we developed our action plan for GDPR remediation and compliance, our team created a spreadsheet that includes all of the data privacy laws affecting Robert Half’s and Protiviti’s operations around the world. Then, we took a closer look at those regulations to identify common threads.
If we find a law in a particular country is almost identical to GDPR, then we know that we can simply implement the same GDPR solution for that country. What we’ve learned through this process is that a lot of the work we were doing previously was repetitive, duplicative and inconsistent. By having one place to review the global laws, we can look for trends in the various countries and implement one common consistent solution, reducing redundancies and costs of compliance.
3. Tap expert resources — and designate a data privacy project manager
Robert Half has an advantage in our GDPR and other global data privacy compliance efforts in that we have direct access to global compliance experts through our Protiviti subsidiary. We would have otherwise needed to tap outside resources for help. GDPR compliance alone is a massive undertaking and missteps can be extremely costly, so it makes good business sense to consult the experts.
We also recognized that we needed a single point of contact to oversee ongoing data privacy compliance efforts for the entire enterprise. So we hired a full-time data privacy project manager who runs our global task committee, reports to the global senior executive committee, and is responsible for tracking our various remediation and compliance projects. This person’s sole job is to ensure the company remains in compliance with all relevant data privacy laws worldwide, including managing the process of responding to data subject access requests.
4. Document and centralize all work
It is critical for companies to keep detailed records of past projects that are easily accessible for future data privacy compliance initiatives and to respond to audits or inquiries from data privacy authorities. We have documented every step we have followed in our work for GDPR and other laws. And we have invested in privacy management software to ensure documentation related to our data privacy compliance processes is in one place.
We recognize that data privacy is an ongoing target that has continuous risks, and no company is completely fail-safe. We are, however, optimistic that these four strategies will allow us to more swiftly adapt our processes and procedures in response to any changes in existing laws or to new mandates that may emerge. It is our hope that other companies can benefit from our experiences.