A data protection plan sets out what a business needs to do to keep its information safe and secure. Here we explain what a data protection plan is, the key elements required, and how it fits in with your international expansion goals.
1. Data might sound like an overused buzzword these days, but it is important not to underestimate its high value.
2. Many organisations now have people in C- or other executive-level positions whose entire role involves the management and protection of data to deliver business value.
3. Most countries now have data protection laws and international agreements—e.g., the EU General Data Protection Regulation (GDPR)—which carry significant financial (and potentially criminal) penalties for breaching them.
4. If you are considering an international expansion, building a data protection plan that is specific to the jurisdiction where you plan to operate is a must.
The Role of Data in the Modern Organization
As technologies continue to evolve and the world becomes more effective, the value of data, especially customer personal data, is becoming increasingly valuable. It is so valuable, in fact, that it was by The Economist in 2017 as the world’s most valuable commodity ahead of oil.
It should be seen as no coincidence then that more and more organisations are bringing in people at C-level to oversee the processing and protection of its data. Known as CIOs (Chief Information Officers), these people are under mounting pressure to see that not only is the organisation compliant with its data processing and protection obligations but that it is effectively used to deliver business value, too.
However, to achieve this goal and deliver business value with data, it is important that organisations are thoroughly and compliantly managing and protecting it.
Developing a data protection plan is a crucial part of compliance with data protection laws and regulations. For businesses in the European Union, or doing business with customers based there this means complying with the General Data Protection Regulation (GDPR). But it is also a requirement in various other jurisdictions such as California (under the California Consumer Privacy Act or ‘CCPA’) and Brazil (where it is known as the ‘LGPD’). China’s PIPL also has similar requirements.
To read more about Brazil’s new data protection law and how it differs from the GDPR check out What is Brazil’s LGPD? Four Differences from the GDPR.
In this article, we are going to cover the basics of data and why it is important to have a plan in place to manage and protect it. This is especially true if you are considering taking your business overseas, for example into Europe, where there are specific legal frameworks for data protection (and serious penalties for organisations that breach them).
What is Data Management?
If you were to ask someone what data management means, you would probably be met with a blank stare. This is because there is a general lack of understanding about what it really is.
In short, data management is a set of disciplines—e.g., data collection, data processing, data analysis, data storage, data protection—that come together for operational and reporting uses.
While it is generally accepted that the biggest data-related issue facing organisations is that they don’t know how to use it properly or what they want to achieve with it, it’s (arguably) not the most important one: data protection is.
Data protection is the process of safeguarding important information from theft, corruption, loss, or other compromises.
The importance of data protection and having a thorough data protection plan increases as the amount of data being generated, collected, and stores grows at unprecedented rates and general tolerance for bad data management and protection—from both stakeholders and legislative authorities—continues to fall.
What Does a Data Protection Plan Cover?
Data protection is therefore not just a legal necessity but crucial to protecting your business and maintaining its reputation. Key pieces of information that are commonly collected and stored by businesses include:
This information can pertain to everyone from customers to your staff members, shareholders, and business clients. Protecting all this personally identifiable information (“PII”), in accordance with relevant data protection laws, requires businesses to take data protection seriously, adopt best practices, and adhere to specific principles.
Due to the way the legal situation varies between different countries and legal jurisdictions, it is impossible to create a one-size-fits-all guide for how to build your own data protection plan that is also catered to the individual needs of your organisation.
What we can do, however, is talk about some of the important features and elements that go into a typical data protection plan. With this information, you can start to build an understanding of what might be required when it comes to working with an international PEO building a plan for your own organisation.
Important Elements of a Data Protection Plan
Here are five important elements of a data protection plan that you need to think about when you are building one for your organisation:
Is a Data Protection Policy the Same as a Data Protection Plan?
In many ways, yes. Data protection policy and data protection plan are largely synonymous and have the same meaning. Other terms commonly used include ‘data protection audit plan’ and ‘data protection implementation plan’.
That being said, some companies will have a separate data protection policy in addition to their data protection plan. If this is the case, the data protection plan will set out how the organisation plans to protect its data while the data protection policy will essentially be the internal “rulebook” for how employees should behave when handling personal data.
How a Data Protection Plan Fits in With Your International Expansion
When you are considering an international expansion—as we have already mentioned—it’s important to make sure that you have a data protection plan in place for each jurisdiction you wish to expand to. This is because every legal jurisdiction has its own unique framework and set of regulations that govern everything to do with data, especially data protection.
The biggest example is the situation in Europe and the GDPR. To ensure compliance with the GDPR, organisations need to ask themselves questions like:
Data privacy and protection is an ultra-complex legal minefield. The situation varies wildly from country to country, with organisations in some nations—such as those where the GDPR applies—subject to extremely wide-ranging data protection laws.
Due to the severe penalties that can be imposed on organisations like yours for non-compliance, it is crucial to consider how the data that you collect is stored, controlled, manipulated, and protected and how different data laws might apply as a result.
New Horizons Global Partners is a global professional employer organisation (PEO) that are specialists in corporate international expansions. Our specialists can advise on a wide range of issues, including those related to compliance with applicable privacy regulations and data protection legislation including the GDPR.
So, if the thought of data protection still has you scratching your head, feel free to reach out to us for a zero-obligation introductory chat and find out how we can help.