Communications Litigation Today was a service of Warren Communications News.
'Fun' in a Way

Privacy Pros Aim for Agility in 'Fast-Moving' Compliance Landscape

March 14, 2025 by Adam Bender|Top News

Ever-increasing data protection requirements around the world are keeping privacy professionals on the edge of their seats, said officials from Stripe, HP and Bank of America during a BigID compliance webinar Thursday.

Stripe’s international privacy head, Willem Balfoort, sees “a fast-moving, very diverse world with lots of places adopting laws that are not always entirely interoperable.” The General Data Protection Regulation (GDPR) “served as this high watermark,” yet many other jurisdictions are deviating from the EU law, he added. “Which, in a way, is fun … but it certainly makes life more complicated as well.” Meanwhile, privacy regulators are becoming increasingly “active [and] applying more scrutiny across the board.”

Businesses with global exposure must be “agile” to adjust for the many privacy regulations around the world, said Balfoort. “Because there are so many developments in terms of laws or like case law or regulatory guidance, you really want to be able to sort of address that very quickly.” Remember that customers are also daunted by privacy, the Stripe official said. “It's really important to make sure that our customers and our users know … they can trust us.”

“Technology is changing so fast” that “people don't necessarily even understand what some of the risks are,” agreed Aaron Weller, HP privacy innovation leader. “The technology comes out [and] we all want to use it, but then we have these situations where we're like, ‘Oh, we should maybe put some rules and some things in place as well.’” Privacy is about more than personal data, added Weller. “We're trying to look a little bit broader” and thinking of privacy as “what are the things that impact people.”

Keeping up is a challenge, Weller added. “When a new law comes out, there's a lot of focus on that law, and then we move on to the next shiny object. So how do we make sure we keep this stuff up to date over time?”

“The different laws, the speed at which laws are being introduced, and sometimes the very breadth of the reach of some of these laws,” means privacy compliance is not straightforward, said Maya Goethals, Bank of America compliance and operational risk manager. “Even having a couple of clients in Indonesia” would mean a company like Bank of America, HP or Stripe must comply with that country’s privacy laws, she said. Newer AI laws add to the challenge, Goethals noted.

“The biggest challenge that we are seeing at the moment is extraterritoriality,” the Bank of America official continued. “You constantly have to make choices on how you're going to approach which law you hold over another one,” since they can conflict, she said. “Because we'd like to comply with everything, but the nature of the regulation is making it impossible.”

Balfoort concurred. “Sometimes we get stuck between a rock and a hard place as a company,” he said. “We try to do the right thing, but it's kind of hard because there are so many conflicting obligations out there that” seem “mutually exclusive.” Privacy pros can’t change that, said the Stripe official, but “where we really can … control things is to have our own house in order.”

For example, companies must know where all their data is located, noted Balfoort. “It's a simple question, but it's honestly incredibly hard to answer.” And yet, “you cannot comply with the law if you don't even know what kind of data you hold, where it's sitting, who has access to it,” why it’s being processed and how long it’s retained.

However, knowing is just step one, said Weller. “If we did know all of that stuff, and we knew it perfectly, what would we do next?” He added, “If we have that visibility, if we have the inventory, what are the actual controls?”

Weller believes automation through AI will eventually help companies keep current with global privacy compliance. “If we're looking at scalable and future proof … it's really looking ahead toward not just what are we doing today, but how do we build in that flexibility that when we get thrown a curveball by Indonesia or whoever it is, we're like, ‘Oh, yeah, we can adapt our program. We don't have to go back and rebuild it completely.”

Goethals doesn’t recommend trying to apply the highest privacy standard everywhere, or, conversely, the minimum level of protection needed for compliance, she said. “Just set a baseline, choose which rights you want to provide, and then flex where you need to, because certain countries will be much stricter, and certain regulators will be much stricter.”

Data minimization is one privacy requirement that can actually save the business money, noted Weller. “If you actually don't hold onto data you're not getting any business value out of … or you pseudonymize or use some other [privacy enhancing technologies] to improve it, that could actually be cost savings.”