Focus On: Global Data Privacy

When asked what I do or what type of law I work in, I explain that I am responsible for Rio Tinto’s global data privacy program across six continents and about 35 countries. Often the next question is ‘how do you tackle a job that complex’? After almost 11 years in this role and 30 years since I started my first legal job, here are a few things I have learned along the way.

Focus on the common ground: When you immerse yourself in data privacy legislation from various parts of the world, you can quickly identify those that have laws in common. That is the advantage of ‘principles-based’ legislation. Most data privacy laws include obligations based on principles of accountability, transparency, purpose limitation, data minimisation and proportionality, data quality and much more.

When data privacy legislation is introduced when existing data privacy laws are reformed and strengthened, there can be a ‘Chicken Little’ type of reaction. My response is that you can usually identify much in those new or strengthened laws that are familiar. If your company has a data privacy program that already reflects the types of data privacy principles that I have summarised above – you should already be a long way down the path to compliance. In that context, addressing the local nuances or additional requirements should not be so overwhelming.

Ask – how would you feel? Data privacy is about people, so it helps to put yourself in the shoes of the relevant individuals when you are answering a data privacy question or undertaking privacy impact assessments or more. This can also be an effective way of raising awareness in your business about why data privacy matters. Remember that if you are relying on an argument that processing personal data is for legitimate business interest, it is about balance, and you should be considering the interests of the individual too.

Context is everything:  In data privacy practice, so many turns on the facts; and the answers to all those ‘what, who, where how and why’ questions about personal data processing. Without those answers, you cannot provide solid advice on compliance requirements or risk. This includes challenging why personal data is being collected at all. In new projects involving personal data processing, ask whether the business objective can be achieved without collecting personal data, or with less of it. The fewer personal data is collected, the less compliance risk there will be for your business.

Despite Time Magazine declaring on its cover in October 1997 that ‘Privacy is Dead’, I am not seeing those of us practicing in data privacy law running out of work anytime soon!