While you weren’t looking: Digital policy matters beyond GDPR

All eyes have been on GDPR, but there is more to digital integrity and online risk coming our way. Pay attention to the proverbial forest as well as the trees.

Kristina Podnar
January 24, 2018

The end of 2017 was abuzz with the EU’s General Data Protection Regulation (GDPR). When this directive comes into enforcement on May 25, 2018, it will rattle the marketing and sales world. The next several months promise to be much, if not more, of the same. While GDPR is an important piece of legislation to which you ought to pay attention, there are other policy considerations you need to be thinking about if you operate globally on the digital scale. Following are some of them.

Pay Attention to These Trends


The Accessibility for Ontarians with Disabilities Act (AODA) came into effect on January 1, 2018 and requires public spaces (inclusive of websites) to be made accessible when they are built, redeveloped, or changed. If your organization has more than 20 employees, you also must submit a report on accessibility progress. Of course, financial penalties will apply for non-compliance.

As of January 18, 2018, all U.S. federal government websites were expected to be in compliance with the updated Section 508 of the Rehabilitation Act requirements, based on the Web Content Accessibility Guidelines (WCAG) 2.0. While we have witnessed a lot of uncertainty about what this means — if anything — for the private sector, new accessibility lawsuits have been filed against corporations, including Nike, 24 Hour Fitness, and Donna Karan.

Children’s Online Privacy Protection

Expect 2018 to be the year in which children’s rights to privacy are highlighted, especially in regard to the Internet of Things (IoT) and toys that take advantage of digital technology. In its first 2018 enforcement of the Children’s Online Privacy Protection Act (COPPA), the Federal Trade Commission noted that the VTech company did not verify the person registering an account on The Learning Lodge website was a parent and not a child. The company was also fined because it falsely claimed that information submitted when registering on its websites would be encrypted when, in fact, the information was stored in clear text. Because the FTC has provided a number of COPPA updates and guidance throughout 2017, with renewed calls for the protection of children, 2018 is the year in which you should take this requirement to heart. Now is the time to review your policies — public marketing, IoT, as well as Intranet materials.

Cryptocurrency and Blockchain

In early January 2018, U.S. Securities and Exchange Commission (SEC) leadership endorsed the concerns raised in the North American Securities Administrators Association (NASAA) directive around cryptocurrencies. The U.S. focus has been mostly on investors and the high risk of fraud, but internationally we have seen mixed sentiments. The EU has been welcoming of the trend. Some countries have leaped to define cryptocurrency regulations (South Korea) and some have created panels to study the fiscal and regulatory impact (Russia, Ukraine). Still others have tried to clamp down (China).

While several states in the U.S. have approved cryptocurrency and blockchain technology (especially for digital signatures and contracts), the state-by-state approach promises to create complexity. Your organization should take such intricacies into consideration when developing a stance and a complementary digital policy.

Data Protection and Breach

The Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into effect in Australia on February 22, 2018. It requires businesses, Australian Government agencies, or any other organization that is required to keep information secure by the Privacy Act 1988 to notify

the Privacy Commissioner along with affected individuals of eligible data breaches. The bar is low (e.g., a device containing sensitive data is stolen or lost, an employee accidentally releases personal health information) and failure to comply is high (up to $1.8 million AU).

Turkey passed its law on data protection at the end of 2017, which became effective January 1, 2018. While additional regulatory action is expected for the full establishment of data protection, the Turkish Personal Data Protection Authority has made it clear that a transparent and accessible data control mechanism will be required of organizations.

Countries such as Israel, which have been ahead of the international curve in the privacy arena, will continue to stay ahead by requiring organizations to comply with the regulations or face penalties.

Data Localization and Transfers

The EU Commission noted on January 9, 2018 that with Brexit on March 30, 2019, the UK will become a third party for data transfers. If you regularly transfer data to the UK from the EU, or if you transfer UK user data outside of the UK, then 2018 is the year to become serious about crafting a data localization and transfers strategy and policy. As you prepare for GDPR, build in some flexibility for the upcoming changes with the UK.


eDiscovery is nothing new for most organizations, but judging by the legal cases we saw in 2017, most of us have a lot of work to do in 2018. The biggest challenge continues to be the volume of data created daily and how best to store this information in an accessible manner when the need arises. In addition, the idea that “digital” is not subject to eDiscovery continues to lag. Social media posts, shares, and likes, along with content published to your website and mobile applications, are also subject to eDiscovery. For most organizations, that seems manageable. That is until we toss in the metadata surrounding the publishing, further complicating matters.


While the PRC Cybersecurity Law came into legislation in June 2017, we are only now starting to see its impact, which will certainly shape 2018 for most global organizations. The law applies to any organization that uses a computer network in the course of its business to collect, store, and transfer data — a broad net that is sure to apply to almost every business. At this moment, there are draft regulations dealing with the data sovereignty requirement. They are expected to come into force in 2018, further impacting how you manage and protect data and systems.

South Africa’s Protection of Personal Information Act (PoPI) is on the horizon and while there is a grace period (12 months), the government will impose fines. The law’s objectives are to decrease data breaches and potential security holes and to provide for rectification when data breaches occur.

Put It All in Perspective

The universe of digital policy is vast and what you choose to prioritize ought to be driven by your organization’s objectives and its tolerance for risk. Consider the range of legal ramifications, regulatory policies, and best practices policy areas, and start from there. My best practice list includes:

  • Advertising (paid, social network, grassroots)
  • Appropriate Content/Prohibited Content
  • Classification Protection Statutes
  • Cloud Assurance
  • Consumer Online Dispute Resolution Platform
  • Copyrights and Protections (inclusive of links, intellectual property protections)
  • Digital Fundraising and Donations
  • Digital Records Management (all channels)
  • Digital Risk Fiscal Statement
  • Email Marketing (CAN/SPAM)
  • Food Marketing
  • Forward-Looking Statements and Investor Clauses
  • Health Information and Patient Information Management
  • Hosting and Content Storage
  • Information and Technology Export Controls
  • Language and Content Localization
  • Online Advertising & Promotion Policy
  • Online Piracy
  • Plain Language
  • Product Advertisement and Placement
  • Product and Services Integrity Statement
  • Right to Data Portability
  • Shareholder Notifications and Disclosures
  • Social Media
  • Supply Chain Act
  • Third-Party Risk Management
  • Use and Display of Organization’s Logo, Registered Names, and Trademarks

There are plenty of others, which is why I advise starting your own list and consulting your legal counsel to finalize the requirements.


While GDPR has captivated most of us due to the fear of extensive fines (4% of global revenue or €20 million), the reality is that not paying attention to the other areas of digital policy could get you into just as much, or more, trouble. So, don’t ignore GDPR. Keep perspective of the forest over the trees, or else it is easy to get lost.

Related industries:
Related functions: