by Ross Misheev, Morae Compliance Services

Data privacy laws such as GDPR, CCPA, LGPD and others are sweeping the globe, capturing headlines and significantly impacting the way companies handle and store personal data. Global companies face an even greater challenge since they must comply across multiple jurisdictions, most commonly through one of two key approaches for privacy compliance:

  • Work to introduce compliance standards in each jurisdiction as local laws are introduced, OR
  • Apply a set of universal standards across all jurisdictions

For most global companies, they either do or do not have the resources needed to closely manage sets of disparate standards across the company – meaning the decision on what to do can seem obvious depending on their circumstances. The global view is the way to go for many. But, how do you get there? How do you balance the relative ease of adopting global standards, with the downside of having rules that might exceed local requirements and impact competitiveness?

At Morae, what we have found that works best for our clients is to develop a set of global standards based on the highest bar, which in many cases will be GDPR, but allowing space for key customizations, particularly where those customizations enable a company to remain competitive locally. To achieve this, we’ve designed a freedom-within-a-framework type of implementation.

Let’s take Cookie Management as an example. Several countries, including those in Europe, have adopted an “opt-in” model for cookie consent. But many countries, including the US, still follow the “opt-out” or “implement consent” model. Adopting an “opt-in” model can have a significant impact for those companies who heavily rely on their digital platforms for business. In our freedom-within-a-framework model, our clients can maintain a standardized and transparent approach to cookie management through the consistent use of a cookie banner (even where not required), while at the same time allowing for two different types of implementations to address local market requirements.

For Europe and certain other areas, such a banner would support express consent through an opt-in methodology, whereas in the US and other areas, a different banner appears that simply informs visitors of a company’s cookie policy. This framework provides companies with greater agility to shift their compliance footing as needed to meet evolving obligations within specific jurisdictions.

The key to a successful implementation using this approach to privacy compliance is to establish global standards and identify opportunities unique to your business that allow for some elements of “freedom” and perhaps even value creation in terms of increased business agility and local competitiveness.