A data protection plan sets out what a business needs to do to keep its information safe and secure. Here we explain what a data protection plan is, the key elements required, and how it fits in with your international expansion goals.
1. Data might sound like an overused buzzword these days, but it is important not to underestimate its high value.
2. Many organizations now have people in C- or other executive-level positions whose entire role involves the management and protection of data to deliver business value.
3. Most countries now have data protection laws and international agreements—e.g., the EU General Data Protection Regulation (GDPR)—which carry significant financial (and potentially criminal) penalties for breaching them.
4. If you are considering an international expansion, building a data protection plan that is specific to the jurisdiction where you plan to operate is a must.
The Role of Data in the Modern Organization
As technologies continue to evolve and the world becomes more effective, the value of data, especially customer personal data, is becoming increasingly valuable. It is so valuable, in fact, that it was by The Economist in 2017 as the world’s most valuable commodity ahead of oil.
It should be seen as no coincidence then that more and more organizations are bringing in people at C-level to oversee the processing and protection of their data. Known as CIOs (Chief Information Officers), these people are under mounting pressure to see that not only is the organization compliant with its data processing and protection obligations but that it is effectively used to deliver business value, too.
However, to achieve this goal and deliver business value with data, it is important that organizations are thoroughly and compliantly managing and protecting it.
Developing a data protection plan, alongside other key documents such as Data Processing Agreements (DPAs) is a crucial part of compliance with data protection laws and regulations. For businesses in the European Union, or doing business with customers based there this means complying with the General Data Protection Regulation (GDPR). But it is also a requirement in various other jurisdictions such as California (under the California Consumer Privacy Act or ‘CCPA’) and Brazil (where it is known as the ‘LGPD’). China’s PIPL also has similar requirements.
To read more about Brazil’s new data protection law and how it differs from the GDPR check out What is Brazil’s LGPD? Four Differences from the GDPR.
In this article, we are going to cover the basics of data and why it is important to have a plan in place to manage and protect it. This is especially true if you are considering taking your business overseas, for example into Europe, where there are specific legal frameworks for data protection (and serious penalties for organizations that breach them).
What is Data Management?
If you were to ask someone what data management means, you would probably be met with a blank stare. This is because there is a general lack of understanding about what it really is.
In short, data management is a set of disciplines—e.g., data collection, data processing, data analysis, data storage, data protection—that come together for operational and reporting uses.
While it is generally accepted that the biggest data-related issue facing organizations is that they don’t know how to use it properly or what they want to achieve with it, it’s (arguably) not the most important one: Data protection is.
Data protection is the process of safeguarding important information from theft, corruption, loss, or other compromises.
The importance of data protection and having a thorough data protection plan increases as the amount of data being generated, collected, and stored grows at unprecedented rates, and general tolerance for bad data management and protection—from both stakeholders and legislative authorities—continues to fall.
What Does a Data Protection Plan Cover?
Data protection is therefore not just a legal necessity but crucial to protecting your business and maintaining its reputation. Key pieces of information that are commonly collected and stored by businesses include:
This information can pertain to everyone from customers to your staff members, shareholders, and business clients. Protecting all this personally identifiable information (“PII”), in accordance with relevant data protection laws, requires businesses to take data protection seriously, adopt best practices, and adhere to specific principles.
Due to the way the legal situation varies between different countries and legal jurisdictions, it is impossible to create a one-size-fits-all guide for how to build your own data protection plan that is also catered to the individual needs of your organization.
What we can do, however, is talk about some of the important features and elements that go into a typical data protection plan. With this information, you can start to build an understanding of what might be required when it comes to working with an international PEO to build a plan for your own organization.
Important Elements of a Data Protection Plan
Here are five important elements of a data protection plan that you need to think about when you are building one for your organisation:
Is a Data Protection Policy the Same as a Data Protection Plan?
In many ways, yes. Data protection policy and data protection plan are largely synonymous and have the same meaning. Other terms commonly used include ‘data protection audit plan’ and ‘data protection implementation plan’.
That being said, some companies will have a separate data protection policy in addition to their data protection plan. If this is the case, the data protection plan will set out how the organization plans to protect its data while the data protection policy will essentially be the internal “rulebook” for how employees should behave when handling personal data.
How a Data Protection Plan Fits in With Your International Expansion
When you are considering an international expansion—as we have already mentioned—it’s important to make sure that you have a data protection plan in place for each jurisdiction you wish to expand to. This is because every legal jurisdiction has its own unique framework and set of regulations that govern everything to do with data, especially data protection.
The biggest example is the situation in Europe and the GDPR. To ensure compliance with the GDPR, organizations need to ask themselves questions like:
Data privacy and protection is an ultra-complex legal minefield. The situation varies wildly from country to country, with organizations in some nations—such as those where the GDPR applies—subject to extremely wide-ranging data protection laws.
Due to the severe penalties that can be imposed on organizations like yours for non-compliance, it is crucial to consider how the data that you collect is stored, controlled, manipulated, and protected and how different data laws might apply as a result.
Horizons is a global professional employer organization (PEO) that are specialist in corporate international expansions. Our specialists can advise on a wide range of issues, including those related to compliance with applicable privacy regulations and data protection legislation including the GDPR.
So, if the thought of data protection still has you scratching your head, feel free to reach out to us for a zero-obligation introductory chat and find out how we can help.
Frequently Asked Questions
A data protection plan is an internal document for an organization explaining what it intends to do to keep data safe and secure.
Data protection within an organization includes:
- Clear rules for accessing crucial and sensitive data
- An audit program to check that existing data protection policies are sufficient
- Regular backups of core data
- Employee training to ensure data protection best practices are followed.