Building a Privacy Program for Global Markets

Privacy programs that scale are not built around static compliance tasks. They are built to produce evidence by design, grounded in principles that drive consistent decision-making. That evidence is what creates confidence in data practices as regulatory requirements become more operationally specific. The latest CCPA regulations illustrate why this matters. The updated regulations, effective January 1, 2026, are not incremental. Programs built as one-time or check-the-box implementations will find it more difficult to adapt over time, while programs grounded in principles, controls, and continuous regulatory awareness are better positioned to manage change without reactivity becoming the default operating model. If you joined my recent Fireside Chat, these themes will sound familiar. Below are several updates and what they mean for evolving privacy programs. Part 1: Sensitive Personal Information Definition Expanded Personal information of consumers under 16 is now classified as Sensitive Personal Information where the business has actual knowledge of the consumer’s age. Willful disregard of a consumer’s age is deemed actual knowledge. Operational: Update your Privacy Risk Assessments policy and process, Right to Limit processing workflows (including downstream), and update data classification logic and practices. Opt-Out Confirmation will be Mandatory Providing confirmation that an opt-out request has been honored will no longer be optional, including for requests submitted through Global Privacy Control (GPC). Examples include displaying “Opt-Out Request Honored” on a website or using toggles or radio buttons in consumer privacy settings to reflect opt-out status. Operational: Test GPC functionality and review consent manager and cookie banner configurations. Right to Know Scope Expanded Currently, businesses must provide a method for consumers to submit a right to know request. Under the updated regulations, if a business retains personal information for longer than 12 months, that method must allow consumers to request access to personal information collected prior to the 12-month period preceding the request, going back as far as January 1, 2022. Consumers may be given the option to specify a date range for their request or request all personal information the business has collected about them. Operational: Review record retention policies, data maps, understand where you store collection dates, and update data subject rights intake forms and procedures. In upcoming posts, I’ll continue examining the remaining requirements and what they mean in practice.

Privacy programs often start with the best of intentions via policy frameworks, training modules, and compliance checklists.   But good intentions don’t scale.   What does? Clear ownership.   The regulatory landscape demands accountability.   Laws like the GDPR and CCPA don’t just ask whether you meant to protect personal data, they ask whether you did, and who was responsible.    That’s where most programs don’t fulfil their potential: not in ambition, but in execution.   The truth is, privacy is a team sport.   It’s fundamentally cross-functional and relies on Legal, Security, Product, HR, and Marketing all carrying the baton at different stages.   But without a shared playbook and clearly defined responsibilities, tasks get duplicated, delayed, or dropped.    If regulators come knocking, “we thought someone else was handling it” isn’t a defense, it’s a red flag.   That’s why we built the Ultimate Privacy Roles and Responsibilities RACI.   It's a matrix designed to bring clarity to the chaos.   It maps out who’s Responsible, Accountable, Consulted, and Informed across key privacy activities like:   ✔ Responding to Subject Access Requests (SARs) ✔ Conducting Privacy Impact Assessments (PIAs) ✔ Managing breach response and notification ✔ Maintaining data inventories and records of processing ✔ Aligning vendor risk with privacy obligations   This isn’t a spreadsheet but a strategic tool for understanding how to operationalize privacy.   It can help your teams move from “we should” to “we did” with clear lines of ownership and fewer blind spots.   📥 Download our Ultimate Privacy Roles & Responsibilities RACI Matrix and start turning good intentions into operational control 👇

Three months into my first global privacy rollout, I realised I was the bottleneck. We had the policies. The governance model. The training plan. But every region reacted differently. In APAC, they paused - “Why this, why now?” In the EU, legal interpretations sparked endless threads. In the US, the ask was simple: “What’s the risk if we don’t?” I kept applying the same playbook. Progress in one region triggered pushback in another. What I thought was alignment was just surface-level agreement. So I changed approach. I stopped pushing for uniformity. Started asking questions. Each region reframed the program in its own terms - same goals, local language. Engagement picked up. Teams flagged issues early. Leads took real ownership. The biggest lesson? You don’t roll out privacy globally. You earn it, region by region. This is what I’ve learned but I’m still learning. Share this with others in the trenches. #privacy #privacyops #globalprivacy #dataprotection #USA #UK #data

3 key economies, 1 immediate call for compliance action. Global Privacy is Changing Fast — And the Global South is Quickly Catching Up The future of data protection isn’t just happening in Brussels or Washington. Major economies in the Global South are rapidly shaping their own privacy standards, and they’re enforcing them. Organizations are increasingly being pushed to adapt their compliance strategies to newer laws emerging from countries like Brazil, Nigeria, and India. Here’s a quick breakdown of what’s changing: Brazil: Stronger Enforcement & New Guardrails Brazil’s LGPD has moved far beyond early adoption; enforcement is now in full swing. - ANPD is increasing audits and imposing tougher penalties for non-compliance. - New rules now clarify how requirements for cross-border data transfer, moving towards the use of SCCs, while preserving Brazil’s unique requirements. - Brazil is advancing protections for children and responding quickly to emerging technologies like AI (proposed Bill No. 526/2025) Nigeria: Focus on Local Digital Ecosystem; Brutal Fines The Nigerian Data Protection Act (NDPA) established a strong legal foundation for privacy governance. - The law draws from GDPR principles, but adapts them to Nigeria’s digital ecosystem, including a new category for high-impact data controllers and processors with stricter compliance duties. - The NDPA is now operationalized by the General Application and Implementation Directive (GAID), providing concrete rules and hard deadlines. - Authorities (NDPC & FCCPC) flexed enforcement powers and fined Meta and Multichoice for privacy violations India: A High-Impact Law for a High-Growth Digital Market - India’s Digital Personal Data Protection Act introduces a modern framework built for scale. - Certain organizations can be classified as “Significant Data Fiduciaries”, with heavier responsibilities like mandatory DPIAs and an India-based Data Protection Officer. - Recent DPDP Rules establish a May 2027 compliance deadline for core requirements like consent and breach notification. - Strong protections for minors include requirements for verified consent and a ban on targeted advertising to children. What This Means for Global Compliance Data protection is now truly global, and increasingly complex. The organisations best positioned for the future are those that can proactively adapt and navigate diverse regulatory environments, not just EU or US frameworks. Which of these 3 jurisdictions presents the biggest compliance challenge for your organisation right now, and why? Better yet 👀 have you begun assessing what the India DPDP Rules' May 2027 deadline could mean for your organisation? And which areas do you expect will require the most preparation? #DataPrivacy #GlobalCompliance #LGPD #NDPA #DPDP #PrivacyLaw #AIandPolicy

🌍 GDPR vs DPDP Act: What Global Organizations Must Understand About Data Privacy Compliance As data flows across borders, organizations must align with multiple privacy laws. Two of the most important frameworks today are the EU’s GDPR and India’s DPDP Act. While they share common privacy principles, their implementation and regulatory expectations differ in key areas. Here’s a quick breakdown: 🔐 Common Foundations of Privacy Both GDPR and DPDP emphasize: ✔ Clear user consent and lawful processing ✔ Protection of data subject rights ✔ Strong technical and organizational safeguards ✔ Documented accountability to prove compliance ✔ Alignment for cross-border data transfers in global operations ⚖️ Key Differences Organizations Should Note 🇪🇺 GDPR (European Union) • Penalties up to 4% of global turnover • Breach notification required within 72 hours • Children’s consent rules vary by country (typically 13–16) • Cross-border data transfers allowed with safeguards • Enforced by national Data Protection Authorities (DPAs) 🇮🇳 DPDP Act (India) • Penalties up to ₹250 Crore • Breach notification requires immediate reporting to authorities and users • Requires verifiable parental consent for children’s data • May impose restrictions on certain data transfers/types • Enforced by the Data Protection Board of India 📊 What This Means for Businesses Organizations operating globally must design privacy programs that: • Integrate compliance across multiple jurisdictions • Harmonize consent, breach response, and documentation processes • Strengthen governance for cross-border data handling Companies that build a unified privacy framework rather than region-specific silos will gain stronger trust, regulatory readiness, and operational efficiency. Kalesha & co Next Gen Assure #GDPR #DPDPAct #DataPrivacy #Compliance #CyberSecurity #GRC #RiskManagement #GlobalBusiness #DataProtection #DigitalTrust