Consumer demands, breaches, and a shifting regulatory landscape are causing companies to rethink privacy. Due in large part to heavy fines that could range into the billions of euros, the GDPR will be the first law to set a global privacy standard, and though companies otherwise seeking to be GDPR-compliant may not apply all the law’s provisions globally, there are at least two provisions those companies are likely to begin implementing now that the law is enforceable. Those two provisions relate to Data Protection Impact Assessments and Data Protection Officers. The first will require companies to methodically sketch out how their business practices affect consumers’ personally identifiable information, and the second will install an unencumbered privacy professional that will ensure the company will do all it can to protect and restrict the use of personally identifiable information. Because these provisions are relatively untested anywhere outside of the EU, parallels can be drawn between these provisions and other laws with global reach such as the Foreign Corrupt Practices Act. Those comparisons indicate that the enforcement and fines provisions in the GDPR, along with growing consumer demands, will cause many companies seeking to be GDPR-compliant to go beyond the law’s requirements and create new privacy protections around the globe. Because the Data Protection Impact Assessment and the Data Protection Officer provisions are necessarily structural changes, the changes they bring to multinational companies are likely to increase privacy protections for data subjects around the globe.

Continue reading A Contextual Extraterritoriality Analysis of the DPIA and DPO Provisions in the GDPR