Why do companies need to consider privacy regulations when expanding into other markets?

Data privacy is a major issue and that’s only going to increase in importance globally. Companies that take a well thought out approach to market expansion will most certainly want to consider the privacy regulation of each new country they enter. This is because the risk of noncompliance can have substantial consequences. The fine for a violation of GDPR can be up to 4% of annual revenue.

Ignorance is no defence when it comes to following these laws. To cite one instance of this, the Italian data protection authority (DPA) fined a company €75,000 for failing to appoint a Data Protection Officer (DPO) - which they were unaware was a requirement.

Companies need to embrace data privacy and accept that these laws reflect popular opinion in new markets. GDPR and other data protection laws are widely popular, and the average consumer in these countries expects companies to honour and comply with them. Failure to do so could not only result in a substantial fine but could lead to reputation loss, which can be deadly for a product seeking adoption in a new market. 

The good news for companies that embrace data privacy and make it core to their ethos and operations, is that it can become a real differentiator and there’s plenty of evidence to support that. For example, a study by Cisco found that over 50% of consumers would switch companies simply because of their data policies or data sharing practices. Meanwhile, additional research by Cisco found that 70% of organisations say they received significant business benefits from privacy beyond compliance, including better agility and innovation, increased competitive advantage, improved attractiveness to investors, and greater customer trust. 

Building on this point, research by Gartner forecasts that by 2023, companies that earn and maintain digital trust with their consumers will see a 30% increase in their digital commerce profits compared to their competitors.

What are the possible consequences of failing to factor-in differing privacy regulations when entering new territories?

Looking at Europe for example, one of the most important effects of GDPR was bestowing new rights to individual 'data subjects' in the EU. This means that if a company operates in the EU, it must be able to accommodate these rights when a European citizen requests them. These obligations take significant time and effort to put in place, as they involve setting up new processes, establishing new roles and heavier responsibilities.

Failing to meet these obligations is, for one, a violation of European law. But it’s also potentially damaging to long-term customer retention. Customers are increasingly conscious of the organisations that take their obligations seriously and those that don’t. Having a responsive and comprehensive privacy program should be a high priority in any region, but especially in those that confer individual rights to data subjects. 

What is the main privacy challenge when moving a company into new territory?

The main challenge is a lack of understanding what data they actually process, who they transfer it to, and why they actually do it. The problem stems largely from an inherent disconnect between the people in an organisation who are responsible for answering questions about data processing activities.

A related challenge is the absence of a privacy culture in many teams currently working in technology. Conventional wisdom in the startup world prioritises rapidly acquiring new customers, adding new features to improve the user experience, and moving as quickly as possible to find product market fit. These goals are often at odds with a culture of privacy:

For the past few decades, tech companies have introduced features that may add a certain level of convenience to the product, or deliver more personalised content. However, those almost always require more personal information going to them.

Finally, the need for technology companies to “move fast and break things” in the words of Mark Zuckerberg, has resulted in vast technical debt, accumulated over many years of collecting more data than ever needed, which has led to a situation now where companies do not actually know how much data they are processing. What’s known in computer science as “kluge” - a software or hardware configuration that, while inelegant, inefficient, clumsy, or patched together, succeeds in solving a specific problem or performing a particular task - is most certainly applicable to the state of data management in many companies today. GDPR and other data protection laws are requiring countries to better understand this patchwork of data collection and it is understandably a difficult task.

What are the top four ways that a company can get a handle on data privacy when moving territories?

In my view, those are

  1. Conduct thorough data mapping and maintain a record of processing activities (RoPAs)
  2. Undertake a privacy health check and a fast-track privacy audit
  3. Consult with privacy professionals
  4. Deploy third party privacy compliance software tools
Looking to the future, how can companies stay ahead of privacy regulations in new territories?

The safest approach to staying ahead of privacy is to consult a team of privacy professionals, ideally representing different regions of the globe, whose job is to stay on top of these trends in regulation. Any single person would have difficulty keeping up with the volume of information and the rate at which it is changing, but a team of privacy professionals can provide that breadth of knowledge.

Many startups are choosing to appoint an independent DPO to help them address the privacy related challenges associated with expansion into new territories. There are two compelling reasons for this.

First, an independent DPO will have a good understanding of privacy regulation related to disciplines including human resources, legal, corporate structure, IT and cyber security. Second, as an independent advisor, DPOs are free of potential conflicts of interest.