The United Nations Conference on Trade and Development (UNCTAD) reported last year that 128 of 194 countries worldwide had data protection legislation in place. Given the volume and severity of ongoing data breaches, the direction is moving towards even more regulation and bigger penalties as governments step up their efforts to stem the tide of cybercrime and nation-state attacks.
While the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) represent the most high-profile examples of contemporary privacy and data protection laws and guidelines, the wider picture tells an interesting story. More broadly speaking, 81% of countries now have e-transaction laws, 59% have consumer protection laws, 69% have privacy laws, and 80% have cybercrime laws, according to data released by UNCTAD.
So, not only are there a wide range of nuanced compliance rules in place, such as GDPR, CCPA, Brazil's Lei Geral de Proteção de Dados (LGPD), South Africa's Protection of Personal Information Act (POPIA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), or India's Personal Data Protection Bill (PDPB), but falling afoul of them attracts the attention of regulators with the power to enforce huge fines.
Data breaches can leave international firms subject to penalties from powerful regulators. For example, the Amazon breach that occurred in October 2021 resulted in an $877 million GDPR fine, while WhatsApp in Ireland received a $255 million penalty shortly after the Amazon breach. Thus, compliance has become a complex layered set of rules and responsibilities, especially for organizations that lack the resources to fully focus on these issues in the context of rapid growth and global expansion. Indeed, the domestic cybersecurity skills shortage currently sits at 464,200 jobs or one-for-every-two openings, according to Microsoft and Gartner.
It’s vital, however, that organizations focused on developing a global presence put themselves in a strong position to meet important regulatory obligations wherever they operate.
Culture and Mindset
Internal processes and formal adherence to local and international data protection and privacy standards are key, but organizations must also build upon an internal culture that prioritizes compliance.
Problems can occur when there is a cavalier attitude towards customer data, and this can manifest itself in a variety of ways. For example, organizations may experience this when policies and processes are considered optional, ignored to meet important deadlines, or where compliance is simply under resourced. Among the most alarming examples is the 2017 Equifax mega-breach, which affected 147 million people and subsequently revealed the company had used "admin" as both a username and password for a portal managing credit disputes.
In contrast, building a culture where everyone understands the importance of compliance eliminates the systemic weaknesses or random, one-off mistakes and misunderstandings that can create serious problems. When predicated on a conservative approach to data protection and privacy, risk-taking is discouraged in favor of effective, safety-first processes. As an example, Globalization Partners’ client Phenom, a global talent experience management platform, partnered with us after several acquisitions. Their primary concern was a seamless transition for new employees. Since we had already established entities in the countries where they wished to expand, we were able to quickly and compliantly onboard new hires. This ensured no disruption to employee compensation and benefits and that Phenom was following all required local laws.
Another client, Zeeto, which is a leading marketing data discovery company based out of San Diego, became permanently remote during the early phases of the pandemic and quickly realized they could now hire anywhere. Given their proximity to the United States’ southern border, they decided they wanted to quickly put together a team in Mexico. We were able to help them quickly onboard hard-to-find talent and ensure a seamless HR experience for both Zeeto and the newly onboarded talent.
As an example, to maximize protection, some organizations simply don’t share customer data externally, except under the most stringent and closely controlled circumstances. Any situation where data must be shared is then subject to the most robust integrity and security controls. Together, this level of oversight can significantly reduce the risk of data leaks, breaches, and the subsequent penalties seen across organizations that operate complex and remotely-based, international teams.
Resourcing Remedies
The issue of regulation and compliance resourcing is key. In general terms, enterprise-level organizations should be in a strong position to provide the people and tools required to ensure customer data is fully protected.
The challenges for small and medium-sized businesses, however, are considerable. This is particularly relevant to fast-growing companies expanding on the international stage that lack the experience and local knowledge required to ensure their approach to data protection and privacy adapts for each country.
While the answer lies in hiring specialist expertise, this is often low on the list of priorities for organizations looking to establish themselves in a new country with minimal resources. In other situations, businesses simply don’t have the budget to hire dedicated talent given that resources may be focused on revenue generation.
Increasingly, global employment technology enables developing international businesses to bridge the gap between putting maximum effort into growth while also staying compliant.
This approach allows organizations to hire around the world without setting up their legal entity or serving as the legal employer while retaining the ability to direct the daily work of each team member. It also meets a very real need, with recent research indicating that 85% of CFOs are interested in tapping into a more cost-effective, global talent pool. Organizations that operate dedicated, local infrastructure across multiple territories may also include specialist resourcing that ensures compliance remains high on the list of priorities for any business growing into new territories.
The modern, data-centric business environment brings huge opportunities for rapid global growth, and the responsibility to abide by local and international rules. One of Globalization Partners’ best examples is our recently enhanced partnership with a global Fortune 500 firm. This partnership has allowed the organization to address customer concerns revolving around international hiring, global payroll, and compliance, which include offering immediate onboarding for international hires with full adherence to local data privacy laws.
There are a wide variety of use cases where organizations partner with third-party vendors to implement, optimize, and manage payroll processes. For example, an HR software provider needed to integrate payroll across several companies it had acquired. Their priorities included avoiding any disruption to employee compensation and benefits, as well as focusing on data privacy compliance.
Global payroll must also be adaptable to changing business trends. In the case of a U.S.-based internet marketing services business, a temporary switch to remote working turned into a permanent strategic switch. This enabled the company to quickly scale its geographical presence by establishing a remote team in Mexico, onboarding new employees, expanding its payroll capabilities, and delivering a seamless HR experience.
Those organizations that execute their international expansion strategies while retaining their focus on compliance and data privacy regulation will be ideally placed to succeed wherever their growth plans take them.