Data Privacy Laws: Global View

But while many countries have already put regulations in place, organisations that operate internationally might be a little confused with the differences between each local piece of legislation. In fact, there isn’t yet a global standard for how personal information should be collected, handled and stored. For this reason, it is essential for organisations to understand the fundamentals of each regions’ rules, as the fines imposed for being found non-compliant are substantial.

GDPR (EU)

Since the introduction of GDPR in May 2018, nearly all EU member states have introduced their own supplements to the regulations. This set of laws remains the benchmark for many of the countries that are currently following suit in designing policies to protect individuals’ personal information.

Among the breakthrough restrictions introduced with GDPR, there are:

• Enabling Data Protection Authorities (DPAs) to make binding decisions and issue administrative sanctions including fines
• The right to object to processing based on controller or public interests
• Data breach notification to DPA and sometimes to data subjects
• Stronger consent requirements
• Including biometric and/or genetic data in the definition of sensitive data
• Introducing Data Protection Officers (DPOs) as a mandatory role in an organisation in case of certain types of personal data processing

These laws require a complex chain of responsibility overseen by a company’s DPO (or shared DPO between many companies), who essentially manages the processing and controlling of data as a program. Two years since the introduction, companies are still struggling to become compliant.

As with all privacy programs, consider your company’s path to GDPR compliance more like a journey, rather than a static objective. Full GDPR compliance can be achieved, but it also needs to be maintained and monitored continuously, as requirements will shift over time. This is where the DPO role can help to make sure all requirements within GDPR can be achieved.

The biggest thing to remember about this regulation, is not however what it covers. The biggest point of this regulation is that it covers data handling with an extraterritorial focus. This means that if you handle data of European residents, or store data in Europe, then you fall under the GDPR, and it will be enforced.

California Consumer Privacy Act – CCPA (USA)

The CCPA applies to businesses that collect personal information of Californian residents, including customers and employees. This law is very similar in the way it was written, to a more pointed and simplified GDPR. It does however change the definition of personal data in an interesting way, by including privacy for devices and families.

This is another extraterritorial law, one that is trying to fill in the gaps left by the USA’s Federal Trade Commission and HIPAA privacy regulations. Businesses need to meet certain thresholds to be bound by CCPA. Organisations that meet one of the following criteria need to comply, and at no point in the law does it state that these numbers must be related to just California residents care:

• Collecting information of more than 50,000 people, devices, or families (IP addresses are considered personal information, so organisations operating websites with more than 50,000 visitors per year fall within the criteria)
• Have a yearly revenue over $25M
• Derive 50% or more of their revenue from the sale of customers’ personal information.

The CCPA gives California residents new privacy rights, among them the right to access, deletion, opt out and the right to know how a business has collected and handled their personal data in the previous 12 months.  This also includes a company’s employee’s personal data.

This is the first major state data protection law to come into effect in the USA, CCPA is still very different from GDPR, and organisations that are already GDPR compliant should not take this as a guarantee that their processes and procedures are also CCPA compliant, as this might give them a head start, but a review will still be necessary.

India Personal Data Protection Bill

Effective date: TBD (Early 2020)

India’s new privacy laws has sparked some controversy. The most disputed clause it will include is that it will allow the processing of personal data in the interest of state security, if authorised (although most other privacy programs are similar). It will also allow processing of personal data for prevention, detection, investigation and prosecution against offences, effectively painting a picture of state surveillance. This will be one to keep an eye on for when it goes live, so we can evaluate how it will impact international business.

Singapore Personal Data Protection Act

A currently evolving law, the Singapore Personal Data Protection Act overlaps with GDPR in use and scope, but it focusses on compliance in a fundamentally different way. Where GDPR is based on regulations, Singapore applies its PDPA as a set of checkboxes, pushing its efforts on accountability for misdeed first.

Singapore has also instituted a dedicated department, the Personal Data Protection Commission, directly tasked with holding organisations accountable for misuse of personal information. Of its 2020 budget, the country set aside $1bn over the course of three years to bring the government up to speed with cyber and data security capabilities.

The regulations apply to all forms of personal data from which an individual can be identified. It does, however, exclude business contact information, as long as they are provided for a business purposed.

Furthermore, the PDPA establishes a “Do Not Call Regime”: in the instance of consent not being explicitly given, organisations wanting to call or text Singapore telephone numbers must check the DNC register and ensure that the message identifies the sender and provides details to opt-out.

The 10 Generally Accepted Privacy Principals and the bottom line

in the world of data privacy there are a collection of 10, generally accepted privacy principals. If you were building a privacy policy or standard, always focus on these:

1. Management: how pill policies, standards and procedures be managed for date privacy.
2. Notice: what notice will be given for data collection.
3. Choice and consent: there must be consent by those who have data collected.
4. Collection: what data will be collected, and only what data will be collected.
5. Use, retention, and disposal: or what is your data lifecycle.
6. Access: what access controls are used.
7. Disclosure to third party: the why, who and with what consent data is disclosed.
8. Security for privacy: physical or technological protection of the data.
9. Quality: this is how you validate you are keeping real data.
10. Monitoring and enforcement: just as it is stated, monitoring and enforcement or the policies in place.

No matter what the regulation you are trying to follow, if you begin with the 10 generally accepted privacy principals you will be starting down the path you need to go. Most laws utilize these 10 principles as a starting point.  But from there you need to understand that data privacy law is a still evolving concept.  And with the changing landscape, it will increasingly require organisations to have a certain degree of in-house expertise, at least to lay down the foundations of a successful and compliant data strategy. From there, it is about maintaining compliance and doing regular checks. Particularly considering the working environment that we have all found ourselves in due to the COVID-19 pandemic.

Just because some of the world has changed, does not mean that privacy regulations are being relaxed.  With a dispersed workforce, it is more important than ever to ensure compliance. Take this as a gentle reminder to review your compliance regulations, so that when we reach the other side, organisations aren’t stung with data breaches or compliance related fines and damages.

By Robert Meyers, FIP, Privacy Professional at One Identity.