“Design” in the IDEA framework for Data Privacy to handle Multiple regulators and Multiple Jurisdictions
We have the Intent to maintaining Privacy of Data under our stewardship.
The next task is to design a framework that can address the requirements of multiple regulators and standards that we need to comply with. On an ongoing basis
We are living in very interesting times when the way we use technology is changing daily. As we change the way we work, the threat landscape changes in lockstep with the changing environment. And behind the changing threat environment is the changing regulatory landscape.
At the core of use of technology is the data that powers everything that we do. And with data comes the responsibility to protect the data that we collect and use. This presents an ever-changing and shifting landscape of regulation.
Why Global Privacy Laws Keep Changing? A shifting landscape.
If you operate in India, you have to content with the requirements of DPDPA for Data Privacy and Protection. If in Europe, there is GDPR. And if you are in the US, the absence of a federal data protection regulation means that (at the time of writing this blog) there are 16 state privacy laws in force.
That is not all, these laws are not standing still. In response to the evolving threat landscape these laws are constantly changing. Thomson Reuters Regulatory Intelligence have recorded an average of over 200 regulatory updates every single day across more than 1,300 regulators globally making it over 60,000- regulatory events in a year.
Stanford HAI estimates that between 2016 and 2024, legislative mentions of AI increased ninefold across 75 countries, with 59 new AI-related regulations introduced by U.S. federal agencies in 2024 alone – more than double the previous year.
As we can see, this velocity is only going to increase as the pace of change of technology continues to accelerate.
An onerous burden.
In India alone, businesses in India are regulated by over 25 key regulatory bodies, including the RBI, SEBI, and IRDAI. All these agencies are constantly issuing new circulars, amendments, and notifications often without warning.
All this has resulted in dramatic increase in costs of compliance. Even the Reserve Bank of India (RBI) acknowledges that regulations have become increasingly complex as the financial system expands into new business models
What is one to do?
Clearly managing a our own internal GRC control set in the backdrop of many updates, even daily, is not possible using manual spreadsheets.
How do we capture these changing requirements in the context of our organization. How should a change in a regulatory requirement change our Intent? How should it change our Design of the IDEA framework?
This requires us to get organized and use AI for Data Privacy Compliance.
Get organized – Unified Control Frameworks for GRC (UCF)
We have to use the UCF (Unified Control Framework for GRC) method. My colleague wrote about this in her blog on the Power of UCFs. Instead of tracking 5 different laws applicable to us, we can map our internal Controls to a “MyUCF”.
UCFs for GRC map various regulations like DPDPA, GDPR, CCPA, HIPAA) to a single set of “common controls”.
For example, if DPDPA updates a transparency rule and GDPR updates a similar one, you only update one internal control (e.g., “Privacy Notice Update Frequency”) to satisfy both.
What does this entail?
Horizon Scanning – Leverage AI
Regulatory guidelines are frequently updated through circulars, addendums, and modifications that get to us through feeds, email updates, PDF documents, newsletters or similar mechanisms. And before they become regulations, very often drafts are shared with potentially impacted communities. Which means you have a “look-ahead”.
But this still requires someone, a human being, to go through these notices which are very often 500 pages of legalese. This is where AI for Data Privacy Compliance comes in…
We can scan the horizon and run these notices through tools using AI trained especially for this purpose. This will give us a proactive, systematic “early-warning” approach to identify emerging regulatory, legal, and technological shifts before they become mandatory requirements.
These tools can do a few things
- Scan and collect these regulations through feeds, emails, PDFs, newsletters and other publications
- Translate the legalese into equivalent controls
- Map these controls in the context of our organization by matching them with our “myUCF” – My Unified Control Framework for GRC
- Integrate the potential updates with “myUCF and deploy these updates as directed.
A smart myUCF implementation that leverages AI will make it much more manageable to address the complexities of Multi-regulator multi-jurisdiction compliance requirements.
