How can we keep pace with policy obligations while maintaining data privacy best practices?

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Jacques Cantin, Global Shaper, Auckland Hub, New Zealand

• Even organizations with the best intentions find themselves held back by compliance as they are often at odds with the pace of internal operations.
• Keeping up-to-date with compliance involves anchoring precautionary best practices and creating a proactive internal culture.
• Now is the time to stay ahead of the compliance curve and to sketch what that curve looks like.

Even organizations with the best of intentions find themselves held back by compliance. Evolving compliance obligations are often at odds with the pace of internal operations and adoption. This dynamic is particularly salient in the context of adherence to privacy regulations.

This game of catch-up constrains resources and may trigger potential non-compliance —and the actual costs that follow. Success in navigating these challenges is not via reactionary measures to legislative shifts. Success lies in anchoring precautionary best practices, resulting in a proactive internal culture.

Attuning precautionary practice within a company’s processes, strategies and ethos ensures cultural endurance. Endurance ensures organizations are ahead of policy development and continually hone their agility.

Let’s discuss how organizations can design precautionary frameworks (while being wary of challenges and red herrings in that process) and how such frameworks can help organizations gain a competitive edge and safeguard stakeholder trust.

Discover

How is the World Economic Forum addressing rising cybersecurity challenges?

The Global Security Outlook 2023 revealed that 43% of leaders polled believe that a cyberattack will materially affect their organization in the next two years.

The World Economic Forum’s Centre for Cybersecurity drives global action to address systemic cybersecurity challenges. It is an independent and impartial platform fostering collaboration on cybersecurity in the public and private sectors.

Learn more about our impact:

• Cybersecurity training: In collaboration with Salesforce, Fortinet and the Global Cyber Alliance, we are providing free training to the next generation of cybersecurity experts. To date, we have trained more than 122,000 people worldwide.
• Cyber resilience: Working with more than 170 partners, our centre is playing a pivotal role in enhancing cyber resilience across multiple industries: oil and gas, electricity, manufacturing and aviation.

Want to know more about our centre’s impact or get involved? Contact us.

Don’t be reactionary

The status quo of acting on data privacy obligations is essentially reactionary. Organizations typically await external pressures to drive internal compliance. New laws, updated regulatory requirements or specific procedural requirements prompt updates to internal frameworks and practices. Internal data privacy measures are often merely adequate to meet their legislative obligations. Such a passive approach stacks companies’ compliance backlogs upon unexpected burdensome policy changes.

The core limitation of reactionary practice is its inherent lack of agility. Where data privacy measures match legislative mandates, any regulatory alteration requires substantial shifts. This approach results in a lag, temporarily falling out of compliance until gaining awareness of new changes and adapting to the new requirements. Moreover, such a model tends to foster a checkbox mentality. Emphasis is placed merely on meeting requirements, rather than understanding core intent. Instead, emphasis should concentrate on the purpose behind regulation: protecting individuals’ privacy rights.

If organizations persist in their reactive stance, they will likely find themselves perpetually on the back foot. New cyber polycrises driven by emergent technologies can feed this challenge. Organizations will scramble to address new legislative demands. Proactive investment in dynamic frameworks and adherence to best practices causes the converse. Organizations become poised to anticipate, respond to and even pre-empt these emerging threats. They operate not just in compliance with the current legislation but in alignment with the broader data protection ethos.

Move to a proactive position

A paradigm shift is crucial to transition from a reactionary to a proactive stance. The first step is to shift the view of data privacy compliance as an external mandate to a core component of ethical responsibility. Regular workshops and embedding a dedicated data privacy team can enhance this cultural shift. By understanding the broad implications of data privacy non-compliance, deeper proactive behavioural shifts follow.

The next step for organizations that cultivate proactive approaches towards data privacy is the adoption of precautionary best practices. These are practices not mandated by current legislation but anticipated to be required in the future. Monitoring the trajectory and understanding technological advancements accelerates the adoption of best practices ahead of time. Foresight ensures preparedness and positions these organizations to set benchmarks to be followed.

A unique challenge arises with the advent of the development of precautionary legislation. Technology that is not widespread but foreseen to have significant implications is often precautionarily regulated. Proactive organizations must then predict the implications of new technology alongside adopting best practices. This proactive approach ensures that when a technology does become mainstream, the organization is already well-equipped to handle its data privacy challenges.

At the heart of proactive best practice adoption lies the imperative to modify subjective norms and changes in daily behaviours. Feedback loops monitoring current practices with emerging best practices help fine-tune behaviours accordingly. Audits, for instance, pinpoint areas of non-compliance or where the organization might fall behind.

Collaborate

Organizations do not operate in isolation. There’s immense value in collaborating with industry peers. Forming or joining a consortium of companies can aid in sharing insights and drive the adoption of best practices. Limits arise in industries known for their slow adaptability or those with a track record of struggling with compliance. The challenge here is to turn competitors into collaborators — leveraging collective knowledge to address data privacy challenges pre-emptively.

Proactive adoption of best practices bolsters organizations’ positions as industry leaders. Taking a proactive data privacy stance comes with monetary and effort costs. However, long-term benefits far outweigh the initial expenditure:

1. By staying ahead of precautionary legislation, organizations reduce the risk of non-compliance penalties and the associated reputational damage.

2. Customers and stakeholders value organizations prioritizing data privacy and enhancing trust and loyalty.

3. Proactively addressing challenges is often more cost-effective in the long run than hurried, last-minute adaptations to new regulations.

Thus, what seems like a cost today can lead to significant savings and even profits in the future. They lead not only in implementation but also in influencing policy design. Engaging with policymakers and offering insights from designing their internal frameworks allows organizations to have a hand in guiding legislation. Policymakers can learn from the effectiveness of best practices and their experiences and miss-steps. Having this input results in policy, which may only need to be updated intermittently.

Organizations have a choice. They can either reactively adapt, always playing catch-up or, proactively lead and set standards or even influence policy. The latter ensures compliance, maintains trust, and ensures organizations endure. They can always be ahead of the curve and sketch what the curve looks like.