Data privacy laws have evolved dramatically, with an increase in enforcement of updated regional and US state-specific laws. The financial and reputational impact of data privacy now feels very new to many legal, IT and compliance teams. Understanding of the nuances of these privacy laws is increasingly complicated. Adopt a strategy through which you view your data across all geographic locations where you do business, store data or utilize vendors.

Developing and monitoring data management practices is key to any privacy compliance program. Know how and where you are storing data, whether it is moving across borders, and if data localization regulations apply. Consider how your privacy practices will be replicated and managed in all countries. The protection systems you are building will not always be sufficient across all jurisdictions and can actually increase data vulnerability.


Data breaches aren’t just a US phenomenon. Although we have been seeing breaches at a higher volume and scale in the US, this is a global concern. The key is to plan, prepare and then plan some more.

What You Need to Know: 

» Policy & Procedure Resilience: Know how your policies and procedures will perform in a data breach. Are they comprehensive enough to combat the complexity of modern attacks and human errors? Test your policies and employee knowledge. 

Start a Free Trial of Policy & Procedure Management Software

» Cross-Jurisdictional Breach: Breaches that affect a variety of data sets and/or regions make prevention and containment exceptionally difficult. Understand where your data is, regardless of location, and the unique regulations that apply so you can respond quickly.

» Crisis Communications Plan: In the event of compromised data, you should inform your employees, the public, and shareholders in a thoughtful and accurate way. Data privacy is about building trust, so having an effective crisis communication plan will help your organization be responsive and transparent in an effort to preserve the trust of your people.


Vendors can often be a serious concern for data privacy, with potential loss or vulnerability of your organization's data. Companies of all sizes are being targeted by cyber attacks as a way to infiltrate connected third parties and work their way up the supply chain.

What You Need to Know:

» Vendor Privacy: Ensuring privacy is part of every vendor agreement. Embed privacy protocols into vendor management programs instead of developing and implementing a separate privacy program altogether.

» Audit & Notification Rights: With vendors, you don’t always know when a risk arises so the opportunity for prevention and containment is reduced. Require vendors to notify you of any breach, or suspected risk, associated with the data they have or access. Retain the right to audit the data practices of each vendor to ensure they meet your privacy standards.

» Indemnification: Your vendor agreements should ensure that your third party indemnifies you appropriately for losses. 

To read more about data privacy, the EU General Data Protection Regulation, key steps for your organization—and get access to additional tools and resources—subscribe to the 2018 Year of Compliance Toolkit.