Multinationals face difficult and unique compliance challenges to successfully meet the ongoing waves of government regulations for data privacy and security. The European Union’s General Data Protection Regulation (GDPR) went into full force this past May 2018. Compliance with GDPR requires that each line of business, compliance team, information technology staff, and the security operations center team reach alignment on new operating procedures and corresponding changes to IT infrastructure, applications, and security.
The problem is not limited to the requirements of GDPR. Beyond this we also have PCI, PII, HIPAA, the California Data Privacy Act, and much more. The very recently signed-into-law California Data Privacy Act goes into full force in 2020. This regulation brings many GDPR-like requirements to the management of data pertaining to California residents. Since California is such a large state, this will virtually impact every business in the United States, and far beyond, as they all likely have California customers.
Global scope of data privacy and security compliance
Multinationals are uniquely impacted by these compliance regulations. To begin with, regulations like GDPR are driven locally within the European Community, but the scope of impact is global. If any multinational business unit or operating entity conducts business with even one European business or consumer, they are required to be GDPR compliant. Every business that uses, processes, or controls data for EU citizens must meet all of the requirements of the GDPR. This responsibility flows from any entity processing data and the data controllers that provide that direction. If you are a Brazilian company with just one business unit that has EU customers, the impact and expense of GDPR compliance is likely daunting, with the financial cost of failing to comply being even greater.
Multinationals, despite their geographic distribution, must coordinate and execute rapidly in the event of a data breach. The GDPR requires all data controllers to notify the appropriate supervisory authority of a data breach without undue delay and not later than 72 hours after having become aware of it. That gives a multinational corporation just 72 hours to gather all related information, coordinate information technology, compliance, security operations, legal, finance, and the impacted line of business and report the data breach in a timely way to the relevant regulator. This must include the nature of the breach, the name/contact details of the organization’s data protection officer, the likely consequences of the breach, and the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects. This is a huge undertaking for any globally distributed enterprise and requires the development of a comprehensive playbook and execution plan. Also consider that one breach under GDPR may have an impact on multiple global business units, each with customer operations in the EU, yet each with different management and legal teams distributed around the globe.
Finally, consider that it takes an average of about 200 days to detect a breach, and it is a fact that most data breaches are not usually detected by the entity that has actually been breached. So imagine that your EU customers’ data is breached and the first time you hear about it is on the news. How will you handle that? How will you compliantly coordinate a response?
Extreme challenge of data management for multinationals
The data management problem for multinationals is now extreme. Data on your customers is not really your asset anymore. In the case of GDPR, EU residents now own their data forever. This is certainly a new way of thinking. Large corporations and multinationals are used to thinking about captured customer data as a key business asset. But now, it is truly no longer their asset if it pertains to an EU citizen or resident. Multinationals can still store and use the personal data but only if consent is given, and such consent can be withdrawn at any time. Every process and the infrastructure that supports it, both human capital and IT infrastructure, must be adjusted to support these requirements. Even thinking about sharing or using the data from one business unit to support the marketing and sales initiatives of another business unit is fraught with risk. Consider the impact of additional compliance regulations, such as the California Data Privacy Act and others – how will this be successfully and compliantly managed?
The documentation requirements to administer all of this new compliance are extensive. Multinationals are required to maintain privacy notices, policies, operating procedures, risk assessments, records of data processing, 3rd party data processing agreements, government submissions, and a multitude of consent forms and other documents. All of this must be done using the correct response to local regulations, which delineate formats, languages, and much more. Operating procedures with respect to data retention and management must be reviewed and updated to meet the requirement (in the case of GDPR and the California Data Privacy Act) to delete personal data when there is no longer legitimate need for it. All of this must be documented, logged, and auditable in the event that any regulating authority decides to investigate a reported event or complaint.
Data residency comes into play in most data privacy legislation. Once again, in the case of GDPR, personal data cannot be transferred outside of the EU without adequate protections. If your country is not determined as providing adequate protection, then generally the GDPR-regulated data is required to be resident within the EU. Consider the implications if you are a multinational with headquarters in Brazil, with one or more operating entities in the EU. Right now, Brazil addresses data protection minimally through their Consumer Protection Code, Internet Legal Framework, and Criminal Code (amended by law 12737/12). These Brazilian protections are not enough for the EU to determine equivalency, at least at this time. How will you manage this? How will management in Brazil and elsewhere review summary data on the state of your global business, while restricting access to personal and sensitive,regulated data that must only be accessed by your EU personnel?
Use of cloud poses compliance risks
Most multinationals have a very large and disparate combination of cloud-based and on-premise applications. By our estimate, most have at least 500 clouds in use, and many of the largest have several thousand. All of these create risk for your compliance efforts. It is difficult to near impossible to maintain all of these 500 clouds once the overlay of compliance comes into play. How will you know if sensitive data moves in a potentially non-compliant manner up and into any of these clouds? How will you ensure that these clouds secure your data adequately? How will you even know what clouds you have in use at any moment? All of this must be addressed in order to meet all of the varying compliance requirements.
In vendor provided cloud-based SaaS applications, the best situation for a multinational is to run the minimum number of instances. Ideally, one global instance can service all of the compliance and security needs for business operations in each country. The drivers for this are both cost and management’s need for global access to real-time summary data by the executive team. To do this the applications must be protected and anonymized with end-to-end “edge” encryption technology and the integration of multiple key management systems that can make this all work.
Multinationals need enhanced visibility and controls
In summary, multinationals have a large number of complex challenges to meet which are driven by a multitude of global compliance regulations and the increasing threats to data security. There are many scenarios a multinational will face where each country in which they do business may require different controls for data privacy, data protection, data sovereignty, and data residency. To meet these challenges and succeed, multinationals must have enhanced visibility across their global key assets and comprehensive controls to meet the requirements of global, regional and country compliance regulations.