The Washington Privacy Act (WPA) passed last month, joining a growing line of state-wide, national and regional privacy regulations redefining how data-driven enterprises engage with consumer data. While largely similar in their intent, these respective privacy laws and regulations diverge just enough to make tracking and ensuring compliance with each one an overwhelming task for just about any privacy team. This raises important questions around how global SaaS companies are dealing with this growing number of geo-specific data privacy regulations, which includes the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Russian’s Federal Law on Personal Data and China’s Data Protection Regulatory Guideline.
Consider the following example: Cora Laçione is the Head of Data Infrastructure at a company that offers the most compact, lightweight and high-quality yoga mats on the market. The product, branded YogiMate, is sold online through an online shop which just so happens to be one of the best resources for online yoga training videos. Cora is responsible for the data infrastructure supporting the company’s online store and its internal applications for collecting and analyzing website visitor interest and buying patterns. These data points are crucial to helping marketing and sales optimize their operations. While YogiMate was initially focused on consumers in California, it was recently featured on “The Yoga Tribune”, and international demand for YogiMate yoga mats have skyrocketed ever since. Now, demand is pouring in from the far corners of the earth, from France and Germany to Korea and the Philippines, all the way through to Australia! Overall, this is excellent news for YogiMate but an absolute maze for Cora and his team to unravel.
As a SaaS platform, YogiMate’s architecture and operations are designed to maximize economies of scale and leverage shared infrastructure and resources across all site visitors and customers. To achieve this, Cora has built the company’s data architecture to support all types of customers with a scalable and efficient data pipeline. While this is the best practice from a data engineering perspective, it creates multiple challenges when it comes to addressing the different data privacy requirements of different regions.
This is because operating globally introduces various legal considerations in order to support the legal rights of global customers. Data-driven companies must run off a list of questions before they can confidently feel that they comply. Among them are:
- Can data be shared?
- How can data be used?
- Where can data be stored?
- When should data be deleted?
- And, what is considered personal data?
These are just a few examples of the legal requirements imposed by different authorities, and each has its own definition and set of rules. As the Head of Data Infrastructure, it is Cora’s responsibility to provide solutions and guidance for any and all data access and data privacy requirements for YogiMate’s internal operations. Given that Cora has only one data infrastructure supporting all operations, how to address privacy regulations becomes a strategic decision with significant long term implications on operations and architecture.
Feeling overwhelmed? We’ve compiled a few strategies already employed by other companies to address the complexity of having one data infrastructure supporting multiple data privacy regulations.
The forward thinkers: These companies, usually focused on one market (and often in the US), are looking to get ahead of the incoming onslaught of state-specific regulations. They appreciate that California and Washington are just the beginning of what is soon to be a long list of states adopting data privacy legislation. To prepare for them ahead of time, these companies are already incorporating guidelines set by the existing regulations and what they can reasonably expect from those to come across the board of their robust data infrastructure.
When done well, this approach can help them significantly limit future exposure to future regulations and their potential disruption to operations. The tradeoff, however, is that it requires plenty of resources and effort to implement. Nonetheless, this heavy initial investment is often justified as one they would have to make sooner or later, as well as one that will keep them from having to re-architect their data infrastructure down the line to accommodate each new regulation.
The optimizers: For some companies, it isn’t viable to apply all data privacy requirements across the board. Indiscriminately applying restrictive measures where they aren’t required can significantly impact their competitive advantage by unnecessarily limiting their access to valuable data. For these companies, it is very important to be able to apply different controls and policies within the specific contexts of the data and data consumer. To achieve this, each use case is handled differently in accordance with their respective context. The main advantage of this approach is being able to maximize the return on data (RoD) for each audience without the limitations of other regional privacy rules. However, every amendment to a privacy regulation or new security or regulatory requirement will require the team to adjust internal practices accordingly.
The nimble: These companies are moving fast and are in no position to pull off an infrastructure-level change. They are growing fast and have yet to reach a stable state in their architecture (in fact, they may never reach one). For these companies, it’s imperative to find effective solutions that address the baseline requirements of data regulations without impacting their operations or requiring refactoring their data infrastructure.
There isn’t one right way to tackle the growing number of global data privacy regulations. It will very much depend on the nature of your company and its immediate needs. However, the key requirements from any of the strategies all highlight that compliance in some form or other is inevitable. Still, while an ideal solution would simply meet all existing and future requirements from the onset, it is clear that this cannot always be the case. Instead, companies must use the business’s context, as well as its data context, to apply the controls that will best suit their innovative and productive needs. Above all, they must be integrated without slowing down the business.
If you would like to learn more about how Satori helps companies address global data privacy requirements through its data protection and data governance platforms shoot us an email, take a look at our solution brief or subscribe to our blog.