• Home
  • Blog
  • Navigating GRC’s Complex Privacy Terrain

Navigating GRC’s Complex Privacy Terrain

Governance, Risk, and Compliance (GRC) privacy challenges carry immense weight in our interconnected world. (Consider how, for instance, even a car’s license plate can now become personally identifiable information.) Organizations spend a significant amount of time and effort solving ongoing challenges to safeguarding the privacy of individuals and businesses.

GRC Privacy Challenges

Below we highlight a few key GRC privacy challenges. 

Snapshot of an Evolving Privacy Landscape 

Privacy shields have historically played a pivotal role in facilitating the transfer of personal data between the European Union and the United States. These agreements, such as the EU-US Privacy Shield, outlined the conditions under which data could be transferred, assuring European organizations that data sent to the U.S. would enjoy a certain level of protection. 

However, the privacy landscape is not static. The EU Court of Justice invalidated the EU-US Privacy Shield in 2020, citing concerns about the U.S. government’s surveillance practices. This decision left many organizations in a state of uncertainty regarding data transfers. 

Thankfully, in 2021, a new agreement emerged–the EU-US Data Transfer Agreement. This agreement, negotiated during the Biden administration, offers a framework for transatlantic data transfers, but with stricter requirements. Organizations must register and commit to specific data protection measures, ensuring that European data remains protected when crossing the ocean. 

Multifaceted Privacy Jurisdictions 

The GRC industry grapples with the intricate web of global privacy jurisdictions. Privacy, inherently multifaceted, shifts dramatically across regions. Several jurisdictions dictate the anonymization or pseudonymization of stored personal data, while others emphasize data protection and individual rights. 

Diving deeper, just a few global examples include: 

United States:

  • California Consumer Privacy Act (CCPA): Californians can see and control the personal data that businesses have. They can also choose to delete it or prevent businesses from selling it. 
  • Virginia Consumer Data Protection Act (VCDPA): People in Virginia can see, change, or get a copy of their data. The law also tells businesses not to collect more data than needed.  
  • There are also U.S. laws like the Fair Credit Reporting Act (FCRA), covering privacy of credit reports, and The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires medical records to be private. 


  • ePrivacy Directive: This EU rule says websites need to ask before using tracking tools like cookies. 
  • Charter of Fundamental Rights of the European Union: This gives EU people rights to privacy and freedom of speech. 
  • The European Union’s General Data Protection Regulation (GDPR) stands out as an exhaustive privacy regulation globally. It underscores individual rights and the sanctity of personal data. Specifically, GDPR Articles 33 and 34, dictate a swift response to breach management, mandating breach notifications to pertinent authorities within 72 hours and immediate communication to the affected individuals. 

Asia-Pacific (APAC):

  • Japan’s Act on the Protection of Personal Information (APPI): Businesses in Japan need to tell people why they’re using their data. They also need permission to share it. 
  • Singapore’s Personal Data Protection Act (PDPA): Businesses in Singapore have to keep personal data safe and let people control their data. 
  • Australia’s Privacy Act 1988: This law requires businesses to be open about how they handle personal data. People can also view their data. 

South America:

  • Argentina’s Personal Data Protection Act (PDPA): People in Argentina can see and change their data. The law also says that this data needs to be kept safe. 
  • Brazil’s General Data Protection Law (LGPD): This law sets rules on handling personal data and stresses the need for people’s permission. 
  • Habeas Data in Colombia: People in Colombia have a right to see and fix their data. 

Privacy Management Best Practices

GRC professionals are responsible for ensuring data is handled with the utmost care and in compliance with the myriad of regulations that govern it. Privacy is not a mere checkbox activity, but rather a dynamic and demanding commitment. 

Implementing robust privacy management practices, like those listed below, are key. 

  • Ensure the security of all data under your supervision by refraining from transferring it to regions with less stringent regulations  
  • Implement proportional security measures, like data encryption, firewalls, and limited access to authorized personnel 
  • In the event of a breach, promptly inform affected individuals so they can take necessary measures to safeguard their personal information 
  • Monitor privacy laws and regulations using an automated solution like Policy Management
  • Conduct regular assessments of compliance posture 
  • Invest in privacy training for employees 
  • Partner with privacy experts like SAI360 to get guidance and support 

Click here to schedule a virtual coffee with one of our team members and learn more about how our Integrated GRC solution can help your organization thrive. 

Keep Reading