Preparing for the future of data privacy and protection
While businesses realize the value of big data, most would not consider themselves on top of their data mountain. A strategic approach is required, taking into account not only the operational needs, capacities and goals, but also applicable legal and regulatory privacy requirements.

Involve the whole company Companies need to prioritize data protection and privacy across a range of divisions and departments. It is a critical issue for IT, legal, HR, compliance, communications, investor relations, and the C-suite.
“For many companies, data privacy is somewhat of a hot potato,” says Hengesbaugh. “Some will want to treat it as just a legal issue, for the legal department to handle. But the legal department may see it as primarily an IT issue, with the need for systems to be built. And the IT department may say, ‘we just put the pipes in place that you tell us to,’ in which case it’s a business issue. And so the reality is that data is something that now impacts the whole organization.”

Work on your comprehensive privacy compliance program Companies would be prudent to develop, and continually refine, comprehensive privacy compliance programs. “Companies should see the GDPR as an opportunity to rethink their approach to data,” says Anne-Marie Allgrove, Global Chair of Baker McKenzie’s Technology, Media and Telecommunications Industry and Practice Group.
In addition, while the GDPR is often the best starting point for a comprehensive global privacy program, companies also need to address compliance with other regimes (e.g., California privacy laws, US federal laws such as the Health Insurance Portability and Accountability Act of 1996 and the Fair Credit Reporting Act) which can bear as much or greater risks.
The challenges ahead
With individuals increasingly expecting companies to handle their data responsibly and securely – and legislators and regulators keen to tighten and enforce privacy laws – privacy compliance must become a top priority for multinational companies. Beyond costly fines, the failure to protect data privacy can lead to significant long-term damage to a company’s reputation and brand, and the risk goes well beyond losing credit card numbers. Countries throughout the world increasingly require that virtually any security breach involving personal data and a certain risk of harm – even if it doesn’t involve social security numbers, health information, or credit card records – be communicated to regulators, the affected individuals and, by extension, the media and public.
These risks are heightened in view of the connection between data protection and human rights. Privacy is a fundamental human right recognized in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in other global and national instruments. As data protection becomes a part of the human rights rubric, the pressure on companies to demonstrate their commitment to privacy compliance will intensify.
“The forces behind the privacy regulation oftentimes are not just about regulating commerce but also about protecting fundamental human rights. Ultimately, investing in good data governance can be a marketing advantage and help build consumer trust,” says Dyann Heward-Mills, head of Baker McKenzie's London Data Protection Practice.
Amid some coordination, protectionism and divergent regulation continue
Notwithstanding some evidence of convergence around GDPR standards, protectionism and divergent regulation continue. The GDPR expressly prohibits companies within and outside the EU from sharing any personal data of EU residents even if compelled by foreign law enforcement or national security agencies, unless permitted by EU law.
Similarly, global harmonization of data protection laws is a long way away. Even within the EU, the GDPR gives Member States ample room to supplement the GDPR by way of national data protection laws. Germany Italy, Ireland and Austria have already passed such a law. Other countries are in the process of drafting and consulting on such laws. Companies looking to bring their data protection practices in line with the GDPR are going to have to navigate through varying and possibly conflicting national laws and GDPR interpretations.24
Outside of the EU, data-oriented regulations are largely uncoordinated – reflecting one way in which countries are competing with each other. Countries continue to pursue their own measures, for a variety of reasons (but often to satisfy domestic constituencies). Japan, for example, recently instituted more stringent data privacy rules, and Brazil may be coming forward with its own rules soon.
A range of countries are also enacting cybersecurity legislation, often sector- and jurisdiction-specific. Overall, cybersecurity and geopolitical risks could push more countries to take a more national view of data privacy and protection, with many commentators predicting a clash between governments and companies. What the varied rules have in common is stringency: virtually all of them are placing more and stricter data privacy and protection obligations on companies, while also imposing stiff penalties for violations. This is raising the compliance stakes for companies.
Another example of a national approach towards data protection are so-called “data localization” or “data residency” requirements. These measures either contain outright prohibitions on companies to move their data from one country to another, or throw up costly and time-consuming requirements that have the effect of stifling cross-border data flows. For example, Russia requires companies within and outside of the country to record and store personal data of Russian nationals in databases located on Russian territory and to provide the location of servers to the government agency overseeing telecom and mass communications. Similarly, China’s Cybersecurity Law took effect in June 2017 and includes a controversial local data residency requirement that is raising questions and concerns among multinationals operating in China.25
“Governments often demand data localization under the guise of protecting privacy, but such laws are really enacted to ease government access to data or to boost local cloud service providers,” says Determann. “Data residency laws are anti-privacy laws.”
Data residency laws could have a significant impact on multinational providers and users of cloud and other hosted technologies. By dictating where certain data is to be held and processed, local data residency requirements fundamentally counteract many of the benefits of cloud technologies, which inherently involve the sharing, processing and centralizing of data across borders.26 If more countries go down this path, businesses will need to reconsider their IT architectures more seriously.
Most data privacy and security laws and regulations around the world are relatively young and largely uncoordinated. As a result, “countries have largely been able to do whatever they want in terms of setting regulatory priorities, and have not worried about limitations on their power emanating from global trading rules,” says Brian Hengesbaugh, who chairs Baker McKenzie’s Global Information Technology/Communications (IT/C) Data Security Steering Committee.
While global coordination and harmonization of data protection laws has been limited, in Europe, governments and companies noted the potential effect of privacy laws as trade barriers relatively early and sought to harmonize national privacy legislation with the 1995 EU Data Protection Directive. On May 25, 2018, the General Data Protection Regulation (GDPR) will replace the directive, ushering in a new era of data and privacy protection.
The GDPR will be directly applicable in all EU Member States and has a wide territorial scope: not only will it apply to any company that is established in the EU, but also to any company outside the EU to the extent it processes data in relation to the offering of goods or services to, or the monitoring of behavior of, individuals in the EU. This means that organizations across the globe, once “safe” from the Data Protection Directive’s reach, will need to ensure their data protection practices comply with the GDPR — a major compliance task.
With its stringent requirements and high penalties (up to 4% of the worldwide annual turnover of the preceding financial year or EUR 20 million, whichever is more), the GDPR is widely seen as setting the new standard for privacy compliance. It cements and upgrades a wide range of rights for data subjects, including the right to data portability (right to obtain a copy of one’s personal data from the controller and have it transferred to another controller), the right to erasure (or “right to be forgotten”), the right to restrict processing and certain rights in relation to profiling. It also raises the bar on standards for consents, cross-border transfers and data breach notification, to name just a few.
According to a Baker McKenzie survey, a majority of data privacy professionals expect that organizations will need to devote more spending and effort to complying with the GDPR, particularly its consent, data mapping and cross-border data transfer requirements.23

Significantly, like its predecessor law, the GDPR could become a template for data-focused regulation in other regions and countries throughout the world. Argentina, Israel, and Japan, for example, have adopted privacy laws loosely modeled on the provisions of the EU 1995 directive. Switzerland plans to amend its privacy laws to reflect the GDPR standard, and the UK government has confirmed its intent to incorporate the GDPR into national law post-Brexit. “Countries want to be adequate in the eyes of Europe’s regulators,” says Julia Kaufman, a partner in Baker McKenzie’s Munich office, “and they want their companies to be able to do business in Europe.”
GDPR is the benchmark for privacy compliance right now and laws in other regions are expected to develop along the same model.
Some signs of harmonization
The potential to develop business insights from that data creates tremendous opportunities but it also brings significant challenges for companies across all industries. One of those challenges is reconciling the commercial need to structure and analyze data with increasingly complex and sophisticated data privacy and protection requirements around the world.
Sources
23 Baker McKenzie, “Preparing for New Privacy Regimes: Privacy Professionals’ Views on the General Data Protection Regulation and Privacy Shield,” May 2016; http://f.datasrvr.com/fr1/416/76165/IAPP_GDPR_and_Privacy_Shield_Survey_Report.pdf.

24 Baker McKenzie, “GDPR National Legislation Survey,” http://www.bakerinform.com/home/2017/7/13/baker-mckenzie-launches-gdpr-national-legislation-survey

25 http://www.bakermckenzie.com/en/insight/publications/2017/04/china-releases-draft-rules

26 Lothar Determann, “Determann’s Field Guide to Data Privacy Law,” Edward Elgar Publishing (2017)
Given that businesses have access to an increasing volume of data, they are faced with the challenge of how to aggregate and analyze that data to make sense of the multitude of undifferentiated data points.
The challenge of managing data
White play icon
Privacy and the compliance agenda
White play icon
Toward a new era of data privacy & security regulation
BM Logo RetinaMenu Icon
Get the latest installment with best practices, examples, and SEO tips straight to your inbox each week.
Subscribe