Jun 18, 2025

Feature ComplianceData PrivacyRegulation In a rapidly evolving global market, navigating cross-border data privacy is more challenging than ever. Here’s how companies can stay compliant while protecting their most valuable assets. Credit: Jack_the_sparow / Shutterstock As organizations expand internationally, IT leaders must navigate a maze of regulations, from the General Data Protection Regulation (GDPR), to the California Consumer Privacy Act (CCPA), as well as other region-specific privacy laws. So to stay compliant, they should have strong plans that cover data mapping, encryption, consent tracking, and see that vendors follow the rules. Here are eight essential steps to preserve data privacy compliance across borders, according to industry experts. Understand the data landscape CIOs need to know inside and out all the data their organizations handle before implementing any compliance strategy “Before tackling data privacy regulations, the first step is understanding your data: what you collect, why you collect it, and where it resides,” says Sylvestre Dupont, co-founder and CEO of AI data extraction software provider Parseur. Dupont says that distinguishing between data controllers and processors early on is critical. This approach helps companies follow rules and put the right protections in place based on the type of data and where it’s located. “Having a clear, accurate picture of your data landscape goes a long way in ensuring compliance across jurisdictions,” he adds. Leila Powell, lead data scientist at cybersecurity enterprise Panaseer, based in the UK, underscores the importance of building and maintaining accurate asset inventories. “One of the foundations of good security posture is maintaining accurate inventories of assets,” she says. “After all, you can’t protect what you don’t know is there.” Powell adds that validating security controls through multiple sources enables a source that’s crucial to maintain both privacy and security. “A single, validated source of truth all teams can share, and translated into language every stakeholder can understand, is invaluable,” she adds. Implement privacy by design Privacy should be built into every part of a business from the start, not added later. “Today, we’ve adopted a privacy-by-design approach, embedding data collection, storage, and processing considerations into the very foundation of application design,” says Subho Halder, CEO and CTO at Singapore-based mobile application security firm Appknox. “Privacy should never be an afterthought,” he says. “We treat it like an architectural principle we build into every product and service we deliver.” Halder further explains that their privacy-by-design strategy includes integrating automated tools to detect and mitigate privacy risks early. “Addressing privacy at the inception stage not only reduces risk but also fosters operational efficiency,” he says. For example, Boost Media Group embeds privacy by design from the first line of code and maintains alignment to standards, such as ISO 27001 for security and the NIST Privacy Framework, says David Afolabi, group head of systems and data, and acting chief information and data officer at the digital marketing agency. Develop a global privacy baseline Given the conflicting and evolving nature of global privacy laws, a one-size-fits-all approach is ineffective. Instead, companies should adopt a baseline standard that can be applied globally. “We default to the strictest applicable standard,” says Kory Fong, VP of engineering at Private AI in Toronto. “Our baseline makes sure we can flexibly adapt to regional laws without starting from scratch each time a regulation changes.” Fong also points out that the company’s system can quickly adjust policies as rules change. “To stay ahead of new regulations, we prioritize proactive privacy engineering and continuous monitoring of regulatory developments worldwide,” he says. “Our technology is designed to flexibly adapt to different definitions of personal information, and we invest heavily in partnerships with legal and compliance experts across regions.” Employ vendor compliance programs Data privacy isn’t just about a company’s own systems. Vendors and suppliers must also follow strict privacy rules. “Our supply chain and third-party risk management processes have been enhanced to see that all vendors, especially those handling sensitive data or systems, meet our rigorous privacy and security expectations, including audits and certifications such as ISO 27001 and SOC 2,” says Bryan Willett, CISO at Lexmark, the cloud-enabled imaging and IoT tech company. Scott Hertel, founding CTO at data privacy provider Osano is on the same page. “Understand your vendors,” he says. “Supply chain risks are a known weakness for cybersecurity professionals and privacy regulators, too. Knowing who you’re sharing your data with, and what they’re doing with it, is essential to minimize harm, understand whether data is being sold or shared with unknown parties, and reduce the likelihood of data being misused for attacks.” Stay ahead of the curve Being in front of emerging regulations is critical to maintaining compliance. “Proactivity is key,” says Fong. “It enables us to adapt without disrupting operations.” Private AI’s regulatory team is set up to spot upcoming legislative changes early, giving them time to adjust their strategy. “To stay ahead of new regulations, we prioritize proactive privacy engineering and continuous monitoring of regulatory developments worldwide so our products evolve in lockstep with the laws and standards our customers must comply to,” he adds. James Prolizo, CISO at Sovos, provider of tax compliance software, agrees that being proactive is key. “It’s about creating an environment where regulatory knowledge is baked into day-to-day decision making,” he says. “We regularly monitor global policy developments and involve our privacy experts early in the planning process so we’re prepared, not just reactive.” Alex Spokoiny, CIO at Israel’s Check Point Software Technologies, says to stay ahead of emerging regulations, his company has moved away from rigid policies to a much more flexible, risk-aware approach. “The key is staying close to what data we collect, where it flows, and how it’s used so we can adjust quickly when new rules come up,” he says. “We’re also using automation and smart tooling to help enforce things like data access, localization, or anonymization, depending on the context and the region. It’s about being ready to adapt.” Protect sensitive information De-identifying and encrypting data helps lower risks while still keeping the data useful. “At Private AI, our approach to adapting data governance strategies is rooted in building privacy into data pipelines,” says Fong. “We focus on de-identifying sensitive information at the earliest point possible, enabling organizations to work with rich, meaningful datasets while remaining compliant with regional privacy regulations like GDPR, CPRA, HIPAA, and others.” He adds that his company helps its clients get the most out of their data while keeping it secure by making data anonymous and only collecting what’s necessary right from the start. And to protect data, companies in general first have to know how data flows, the repositories where it’s stored, and who handles it, says Antonio Sanchez, chief strategy officer at quantum technology and data security company Quantum Xchange. “You’ll need to develop a classification system to tag all your data, which is a precursor to applying data protection policies,” he says. Deploy cross-functional collaboration Effective data privacy management requires a multidisciplinary approach, involving IT, legal, compliance, and product teams. “Cross-functional collaboration is built into our steering teams,” says Lexmark’s Willett. “Over the years, we’ve fundamentally transformed our approach to data governance by establishing the Enterprise Data Governance and Ethics community.” Willett notes that EDGE is a cross-functional group of senior leaders tasked with overseeing the company’s data management strategy. “EDGE sets data policies for Lexmark’s products, clarifies data-related roles across the organization, and ensures that each business area has designated data stewards and custodians to uphold governance standards,” he says. Sovos’ Prolizo agrees with Lexmark’s approach. “Rather than passing requirements from team to team, we bring stakeholders together upfront,” he says. “Everyone owns a piece of compliance, which makes it a shared goal rather than a checkpoint.” Spokoiny says this collaborative structure is vital to the company’s privacy strategy. “It’s become a must-have,” he says. “Privacy used to be something IT or legal handled on their own. Now it’s something product teams, compliance, legal, engineering do together. We’ve got privacy leads in key groups, shared goals tied to trust and data safety, and regular check-ins when launching new things. It’s a real team effort now.” Apply continuous training and awareness programs Privacy compliance is not a one-time effort. It requires ongoing education across all levels of the organization. “We’ve invested heavily in training programs tailored to specific roles,” says Willett. “Developers, for instance, understand not just how to build features but how to do so securely and in compliance with relevant privacy mandates.” Fong concurs, emphasizing the importance of annual legal awareness sessions for product teams. “CIOs should make it their responsibility to bridge the gap between legal and product, and make sure new features are developed with compliance in mind from day one,” he says. “Innovation doesn’t slow down when privacy is part of the process. It accelerates because you avoid costly rewrites later.” Nick DeMelas, chief experience officer at software developer Sourcetoad, says his company proactively maintains awareness of regulatory trends, geopolitical developments, and emerging technologies with research, alerts, RSS feeds, and keeps an eye on the industry overall. “Our team actively participates in ongoing internal training sessions, regularly sharing insights about privacy and security developments,” he says. “We also hold internal discussions and talks, such as recent sessions on differences between EU and US privacy standards, helping our team anticipate shifts rather than react to them.” Related content