5 Frequently Asked Questions about Compliance
Since the advent of the EU’s General Data Protection Legislation (GDPR), a push for data protection legislation has swept the globe. From Japan, China and India to the US, Canada and Brazil, all countries with strong ties to the global digital market have taken measures to bring their laws up to the new international standard set by the GDPR.
While most consumers have embraced the new wave of legislation as a positive step towards curtailing what are seen as companies’ invasive data collection practices and a worrying escalation of the number of data breaches, the transition to a post-GDPR world has been a more daunting experience for businesses.
Compliance is a complex issue that companies need to prioritize in order to avoid fines and data breaches and to preserve their reputation and customer loyalty. Now a legal obligation, data protection can no longer be treated as an afterthought, but must be enshrined in company practices. The aim of these regulations is a fundamental change in the way organizations collect, process and use data, with responsibility laid squarely on companies’ shoulders.
But where can an organization start from? By asking the right questions, which are usually the same, no matter where a company is located. In this article, we address the most common five that companies just starting out on their road to compliance ask themselves, beginning with the most basic:
1. Does this data protection law apply to us?
This is perhaps the first thing all companies ask themselves. Whether it’s because of their size, sector or the amount of data they collect, they wonder whether, by some chance, the regulations do not apply to them. The answer of course depends on the geographic location and the laws passed in that country, but these regulations mostly fall into two categories.
The first have a very general applicability criteria based on the GDPR’s own broad definitions which do not specify any applicability limits based on a company’s size, revenues or the amount of data they collect or process. While organizations with fewer than 250 employees are exempt from having to record processing activities as listed under article 30, they are still obligated to report data breaches and grant data subjects the rights they have gained through the GDPR such as the right to be forgotten, the right to data portability etc.
While Recital 13 does encourage Member States and their supervisory authorities to take into account the specific needs of micro, small and medium-sized enterprises in the application of the GDPR, many data protection authorities (DPA) have chosen to keep the applicability criteria wide.
A number of data protection laws around the world such as Brazil’s Lei Geral de Proteção de Dados (LGPD) and Japan’s Act on the Protection of Personal Information (APPI) have chosen to follow the GDPR’s lead.
A second category of laws have limited the applicability criteria based on either a company’s earnings or the amount or type of data they collect or process. The California Consumer Privacy Act (CCPA), for example, lists no less than three thresholds companies must meet to fall under its scope: they must have over $25 million in annual gross revenue, buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers or derive 50 percent or more of annual revenue from selling consumers’ personal information.
Meanwhile Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) restricted its applicability to commercial organizations.
Companies should therefore assess their national data protection regulations to see if they are dealing with a general applicability criteria or more specific definitions.
2. What type of data do we need to protect?
Most data protection regulations consider personally identifiable information (PII) or data that can be used to identify an individual, by itself or in conjunction with other information, as sensitive data that needs to be protected. This includes dates of birth, passport numbers, drivers’ licenses, social security numbers etc.
Many laws, like GDPR and APPI, add an extra layer of protection to categories of data that are considered extra sensitive and require special care. Health data, information concerning race, religion, sexual orientation, criminal records, among others, fall into this category. It’s worth noting that even under laws that make no special additional provisions for these types of data, they are often included in the broader definition of sensitive data or fall under the scope of other specialized data protection legislation such as HIPAA and GLBA in the US.
3. What if our business is not located in the country? Do data protection laws still apply to us?
In the case of most new data protection regulations, from GDPR to APPI and the LGPD, an extraterritoriality clause is attached to them. It means that, regardless of whether a company is located physically in a country, as long as they collect data from data subjects located in the country where the data protection regulation applies, they must comply with it.
4. Can data still be processed outside the country?
In general, data protection legislation regulates cross-border transfers, limiting them to a select number of countries that provide a level of data protection comparable to that of the country where the law has been enforced. When it comes to the GDPR, these adequacy decisions are reached by the European Commission. Similarly, countries like Japan and Brazil, have also decided to apply their own adequacy decision systems.
In the absence of an adequacy decision in the country of the data processor or controller, in some cases companies can still transfer the data to it if the data subject gives his informed consent for it in advance. There is usually also a legal route available through the establishment of appropriate safeguards. Model contract clauses or Binding Corporate Rules (BCR) approved by the supervisory authority of the country where the data protection law is in force can ease cross-border transfers to countries without an adequacy decision in place.
5. Where do we start?
Compliance can seem like an overwhelming task especially when starting out. Many organizations have no idea where to begin. A good first step is finding out what data is collected from data subjects, how it is processed and where it is stored for how long. Companies need to know where their data is in order to build effective data protection strategies.
They can then assess their existing data security policies and see how they can be aligned to compliance requirements for data protection laws and what additional safeguards they need to implement to ensure that sensitive data is protected wherever it is within their network.
From Europe to Asia and the Americas, data protection laws are the new normal. It’s expected that more and more countries will enshrine them in their legislation to ensure both continued smooth operations across borders and a reduction in data breaches. Compliance is a rocky road, but companies no longer have a choice: the age of data protection by design and by the default is here.