Multinationals face difficult and unique compliance challenges to successfully meet the ongoing waves of government regulations for data privacy and security. The European Union’s General Data Protection Regulation (GDPR) went into full force this past May 2018. Compliance with GDPR requires that each line of business, compliance team, information technology staff, and the security operations center team reach alignment on new operating procedures and corresponding changes to IT infrastructure, applications, and security.
The problem is not limited to the requirements of GDPR. Beyond this we also have PCI, PII, HIPAA, the California Data Privacy Act, and much more. The very recently signed-into-law California Data Privacy Act goes into full force in 2020. This regulation brings many GDPR-like requirements to the management of data pertaining to California residents. Since California is such a large state, this will virtually impact every business in the United States, and far beyond, as they all likely have California customers.
Global scope of data privacy and security compliance
Multinationals are uniquely impacted by these compliance regulations. To begin with, regulations like GDPR are driven locally within the European Community, but the scope of impact is global. If any multinational business unit or operating entity conducts business with even one European business or consumer, they are required to be GDPR compliant. Every business that uses, processes, or controls data for EU citizens must meet all of the requirements of the GDPR. This responsibility flows from any entity processing data and the data controllers that provide that direction. If you are a Brazilian company with just one business unit that has EU customers, the impact and expense of GDPR compliance is likely daunting, with the financial cost of failing to comply being even greater.
Multinationals, despite their geographic distribution, must coordinate and execute rapidly in the event of a data breach. The GDPR requires all data controllers to notify the appropriate supervisory authority of a data breach without undue delay and not later than 72 hours after having become aware of it. That gives a multinational corporation just 72 hours to gather all related information, coordinate information technology, compliance, security operations, legal, finance, and the impacted line of business and report the data breach in a timely way to the relevant regulator. This must include the nature of the breach, the name/contact details of the organization’s data protection officer, the likely consequences of the breach, and the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects. This is a huge undertaking for any globally distributed enterprise and requires the development of a comprehensive playbook and execution plan. Also consider that one breach under GDPR may have an impact on multiple global business units, each with customer operations in the EU, yet each with different management and legal teams distributed around the globe.
Finally, consider that it takes an average of about 200 days to detect a breach, and it is a fact that most data breaches are not usually detected by the entity that has actually been breached. So imagine that your EU customers’ data is breached and the first time you hear about it is on the news. How will you handle that? How will you compliantly coordinate a response?
Extreme challenge of data management for multinationals
The data management problem for multinationals is now extreme. Data on your customers is not really your asset anymore. In the case of GDPR, EU residents now own their data forever. This is certainly a new way of thinking. Large corporations and multinationals are used to thinking about captured customer data as a key business asset. But now, it is truly no longer their asset if it pertains to an EU citizen or resident. Multinationals can still store and use the personal data but only if consent is given, and such consent can be withdrawn at any time. Every process and the infrastructure that supports it, both human capital and IT infrastructure, must be adjusted to support these requirements. Even thinking about sharing or using the data from one business unit to support the marketing and sales initiatives of another business unit is fraught with risk. Consider the impact of additional compliance regulations, such as the California Data Privacy Act and others – how will this be successfully and compliantly managed?