Global Privacy Compliance: An Oxymoron?

The word “football” means one thing in the US, another thing in Australia and something very different in most of the rest of the world. The same is true with the word “privacy.”

In the U.S., our private personal data is the property of the people who hold it. In most other parts of the world, personal data is the property of the individual. While it is true that the data “owner” has responsibility for its safe keeping, it is also true that individuals have very little control—which means that viewing personal data as the property of the individual isn’t enough to keep it safe.

Laws are evolving to protect the sanctity of an individual’s information, but an ongoing debate questions their effectiveness. One thing, however, is beyond debate: doing business across borders and across laws is a daunting problem.

When dealing with the complex world of compliance, the challenge is to develop a clear understanding of the differences and the similarities in the evolving myriad of privacy policies. Dealing with one law and one locale at a time creates an impossible task. To overcome that, you need to find the commonalities, the underlying principles that knit seemingly disparate laws together.

Perform a Google search on “global privacy” and you’ll get over a billion returns. This is an apropos illustration of the complexity of the global compliance landscape. In the U.S. alone, there are approximately 13 federal bills in the legislative process and dozens of state regulations already in effect to safeguard nonpublic, private information (NPI).

In many cases, these laws and proposals present requirements that are mutually exclusive. Many of the pending federal laws are designed to supersede the labyrinth of state laws. This motivation comes from a desire to normalize data protection in order to simplify doing business across state borders. But while the goal is laudable the issues are extremely complicated.

Take the European Privacy Directive (EPD). It provides guidelines for safeguarding the personal information of any “identified or identifiable natural person” by any entity with permission to collect or process that information. This includes any information by which someone could be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural, or social identity.

Compliance specifically requires insight into and control over the use and disclosure of personal information. But each country that falls under the EPD is responsible for creating their own specific laws implementing the EPD, all of which have different requirements.

Similar to state laws in the U.S., many of these regulations clash with each other.

An important point to understand is that legal requirements, independent of their country of origin or industry of application, are technology agnostic. It is our responsibility as fiduciaries of sensitive data to show that we have control. This paints IT personnel into a tricky corner when it comes to acting on compliance mandates handed down from management.

This means that organizations dealing with diverse requirements encompassing broad issues, ranging from keeping doors locked to information technology management, must go back to the roots of compliance.

EPD, PCI, SOX and HIPAA were all designed to ensure that companies could be trusted. At the root of all of these requirements is a simple request: be accountable for what happens to the information you have in your trust.

Marv Goldschmitt is VP of Business Development for Tizor Systems, a provider of enterprise-class, real-time data auditing and protection solutions for regulatory compliance, data security and business assurance.