Data Protection laws and privacy – why is it important?
Companies, websites, social media platforms all collect data. Your username, email address, any other ways to contact or identify you are part of your data. Personal data, or a combination of it, can be sensitive. For example, someone knows your name and social security number. If they can find out your mother’s maiden name, where you went to school, and so on, they can steal your identity, open bank accounts under your name, apply for loans or even commit crimes that could have a paper trail that leads right to you.
Nowadays, data protection is a global concern. We finally recognize that data needs to be protected; otherwise, it can be used to exploit. Hence, the creation of data privacy and protection. When we say data privacy, we are talking about who can access specific data. And when we say data protection, we are talking about the policies and laws that restrict access to data.
As for its importance, people and businesses can be exploited by the misuse of data. Imagine living your life in the straight and narrow, only to have someone steal your personal information and use it with criminal intent. The trouble to clear your name could take years. It may affect your credit scores, your ability to get good jobs, and even renting an excellent and safe place to live. You can take steps to data loss prevention by practicing email safety, reading the fine print on the data privacy agreements that websites and applications make you agree to, and familiarizing yourself with the data protection and privacy laws in your area.
Data protection laws and privacy regulations around the world
At the start of 2021, there are over 130 jurisdictions that have data protection and privacy laws. Every country might have different specifics to its laws; some might be stricter than others.
Data protection laws in the EU (European Union)
The GDPR (General Data Protection Regulation) applies to European organizations that process people’s personal data within Europe and organizations outside the EU that process or target people living within the EU. What GDPR covers is the collection, storing, and managing of personal data.
The GDPR has laid out a set of rules and laws that impacted organizations need to follow:
- There is consent from the individual concerned.
- You are transparent about who is processing the data, why, and the legal basis.
- Parental consent is necessary when the individual involved is a child.
- Respect the individual’s right to access their data and to have a copy of it. The individual also has the right to correct their data and object to your company using their personal data.
- The individual also has the right to ask your company to delete or erase their personal data from your system. Unless, of course, the processing is needed to comply with a legal obligation, or if it is within the public interest to store personal data, or when it is needed to establish a legal claim.
Data protection laws in the US
Unlike the EU’s centralized GDPR, the privacy laws in the US come in the form of vertically-focused federal privacy laws and the newer, state-specific laws.
US Privacy Act of 1974
The US Privacy Act of 1974 contains the rights and restrictions on US citizens’ data held by US government agencies. Like:
- The right to access and copy their personal data.
- The right to correct any errors.
- Sharing of information between federal agencies is only allowed under certain conditions.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) regulates health insurance in the US and includes data privacy and security.
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) protects children’s actual names and screen names, chat names, emails, photo and audio files, and location.
The Fair and Accurate Credit Transaction Act (FACTA)
The Fair and Accurate Credit Transaction Act (FACTA) – FACTA applies to the financial services industry and regulates the data retention limits of businesses by observing the destruction of data after its final usage.
The Electronic Communications Privacy Act and the Computer Fraud and Abuse Act
The Electronic Communications Privacy Act and the Computer Fraud and Abuse Act regulate the interception of electronic communications and computer tampering, as mentioned by Thomson Reuters. This data privacy law applies to all digital infrastructure development companies in the US.
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA) provides consumers with more control of personal information that businesses obtain from them. Considered a landmark law, the CCPA provides consumers with new privacy rights, namely:
- Knowing what personal information businesses collect and how it is used and shared
- Delete personal information collected (with a few exceptions)
- Refuse to sell their information
- To not be discriminated against when they exercise their CCPA rights
Data protection laws in the Middle East
There is no direct general federal law in the GCC (Saudi Arabia, Kuwait, Qatar, Bahrain, and Oman).
Notwithstanding, it would be incorrect to say that Data Protection or Individual Privacy is not regulated.
Various general laws cover aspects of ‘privacy’ as below:
The Qatar Financial Centre (QFC) addresses Data Privacy by the Data Protection Regulations (Regulation 6 of 2005), which the European Data Protection Derivative mainly drives.
“The sanctity of human privacy shall be inviolable, and therefore interference into the privacy of a person, family affairs, home of residence, correspondence, or any other act of interference that may demean or defame a person may not be allowed,” says, Article 37 of the Qatari Constitution.
The Dubai Healthcare City is regulated by Dubai Healthcare City Regulation No. 7 of 2008, and data protection in the DIFC is regulated by DIFC Law No 1 of 2007 (amended by DIFC Law No 5 of 2012) and by the Data Protection Regulations (Consolidated Version No.2 in force on 23/12/2012).
The DIFC enforces the law and imposes sanctions where the data controller is not compliant. Read more here.
Kingdom of Saudi Arabia
The Shariah Law is supreme, and it consists of tenets related to an individual’s privacy. Various sector-specific laws enact these principles:
Anti-Cyber Crime Law
Anti-Cyber Crime Law punishes any person (by fine or imprisonment) who illegally accesses the computer without the prior’s knowledge or permission. Electronic Transactions Law regulates all forms of electronic communications.
KSA Monetary Agency Regulations for Consumer Credit (Credit Regulations)
KSA Monetary Agency Regulations for Consumer Credit (Credit Regulations) governs the exchange of information between borrowers and creditors through Articles 3.1, 3.2.
Healthcare Practice Code
Healthcare Practice Code requires that a health practitioner safeguards and observes complete privacy regarding patients’ data.
Telecommunications Law restricts the service providers from sharing customer data with third parties and prohibits telephone tracking of the customers.
United Arab Emirates
Article 31 of the UAE’s constitution speaks about freedom of communication and guarantees its secrecy following the law. The National Electronic Security Authority (NESA) ensures data storage, processing, and electronic transmission security.
Data protection laws & Data Privacy in the APAC region
APAC countries also have their laws regarding data protection.
Australia has the Privacy Act 1988 and the Australian Privacy Principles. These rules govern the collection, use, and disclosure of personal information; a company’s accountability; individual’s right to access and correct their data. These laws only apply to Australian or Norfolk Island government agencies. Australian companies with a turnover of more than AUD 3 million; or an Australian company with less than AUD 3 million but provides healthcare services, trades in personal information, or has opted-in to be bound by the APP.
South Korea’s Personal Information Protection Act (PIPA) is one of the world’s strictest and most comprehensive sets of data privacy laws. The fundamental principles of PIPA include transparency and lawfulness, data minimization, retention, harm prevention, and purpose limitations.
India has laws that safeguard electronic communications, such as the Information Technology Act 2000, SEBI, and most recently, the Data Protection Bill of 2018.
SEBI (Securities and Exchange Board of India) regulations mandate the systematic categorization, review, and retention of all critical business documents for 5 years in company systems, and after that, archiving it for another 3 years.
These regulations apply to banks, NBFCs, trading companies, and financial organizations in India.
IT ACT 2000/8
With a further amendment in 2008, the IT Act 2008 act states that electronic records, including email as evidence, are permitted under the Indian Evidence Act, 1872, the Civil Procedure Code, and the Criminal Procedure Code.
The IT Act is a general law applicable to all organizations with an IT infrastructure.
As per IRDAI’s (Insurance Regulatory and Development Authority of India) guidelines of information and cyber security for insurers, electronic maintenance of core business records shall be hosted within India, with the data retention and destruction schedules to be defined by the organization.
The company should audit this practice, wherever applicable.
PERSONAL DATA PROTECTION bill, 2018
(Still to become an Act and come into effect)
The PDP bill 2018 mandates that any entity processing personal data shall ensure storage on a server or data center located in India. The Central Government shall notify categories of personal data as critical personal data.
Data Protection laws in Southeast Asia (SEA)
The ASEAN’s (Association of Southeast Asian Nations) combined GDP tops $2.6 trillion, the 3rd largest in Asia and 7th largest globally. With a population of over 600 million, the ASEAN market size is bigger than the EU or North America.
With this tremendous opportunity for economic growth, the ASEAN has committed to harmonizing legal infrastructure for e-commerce to integrate the e-ASEAN Sector. One of the goals of this strategic initiative for the ASEAN Economic Community (AEC) is to adopt best practices concerning cyber security and data protection. The Philippines, Malaysia, and Singapore are at the forefront of the Data Protection Policy framework and implementation.
The Philippines’ Data Privacy Act (DPA) of 2012 made the country the second in Southeast Asia to impose a comprehensive data protection law. The National Privacy Commission actively implemented this law and established the rules and regulations.
Singapore’s Personal Data Protection Act 2012 (PDPA) is the primary governing law protecting individual privacy. The PDPA applies to all electronic and non-electronic communications that deal with data collection, processing, or disclosure within the country, regardless of whether they are in Singapore or not. This act requires companies to secure users’ consent, establish a reasonable purpose for obtaining the data and inform their users of all the data processes. Violators face penalties of up to 1 million Singapore Dollars or imprisonment for up to 3 years.
Kingdom of Cambodia
The Kingdom of Cambodia, on the other hand, is yet to announce its plans on formulating a national law on privacy and data protection.
Laos or The Lao People’s Democratic Republic has the Law Protection of Electronic Data (2017) and Law on Prevention and Combating Cyber Crime (2015), covering provisions relating to the protection of personal information.
Myanmar has Protecting the Privacy and Security of Citizens (Union Parliament Law 5/2017), which prohibits the interception of citizens’ electronic communications, private correspondence, and physical privacy unless otherwise warranted by an “order.”
The Kingdom of Thailand has its Personal Data Protection Act B.E. 2562 (2019) to protect its citizens’ personal information that state agencies are implementing.
Article 38 of Vietnam’s Civil Code 2015, sets the rules for the collection, storage, processing, use, disclosure, and publication of personal data.
The ASEAN adopted its regional declaration on privacy with its 2012 Human Rights Declaration. Article 21 of the declaration states that:
“Every person has the right to be free from arbitrary interference with his or her privacy, family, home, or correspondence including personal data, or to attack upon that person’s honour and reputation. Every person has the right to the protection of the law against such interference or attacks.”
The ASEAN had cumulatively led to the establishment of the ASEAN Framework on Personal Data Protection in 2016. The framework states the principles on data protection to help the members implement domestic laws and regulations aligned with the global framework.
Impact of GDPR (General Data Protection Regulation) in other regions
The GDPR standardizes the data protection law across all 28 EU countries and imposes strict rules on controlling and processing personally identifiable information.
It gives the control back to EU residents. The GDPR ushers in better accountability and governance as it is comprehensive, strict and the penalty can be as high as 4% of the company’s total annual turnover.
The GDPR has provisions like Appointment of representatives, Sanctions, Data breach notifications, Accountability, Data Protection Officers, Individual rights, to name a few.
According to GDPR, any company performing operations on the data of Europeans or residents of the EU, irrespective of its location, must upgrade its software and servers to provide enhanced security and control to the customers.
Thus, GDPR means more significant financial implications to the company in terms of software, hardware, and appointment of human resources for the sake of compliance.
Businesses must create internal compliance processes for all the employees to fall in line with the GDPR. The concerned representatives have exposure to the legal authorities.
Companies must upgrade their offerings and projects to give their customers complete control over their data. The impact of the GDPR can be visible in various industry sectors like Travel and Tourism, Automobile, Hospitals, Hotels, and the Offshore Development Centre- the IT Industry in general.
The companies must navigate costly, time-consuming, and technically challenging obstacles like facilitating “data portability,” “data storage,” “notifications,” “data control,” to name a few.
Enterprise software solution providers must assess the functionalities in the application as its database consists of voluminous data of customers. So, ensuring compliance to GDPR may require considerable modifications and aligned costs.
How protecting email data can strengthen compliance
Email is one of the most preferred communication modes within businesses and corporate houses. Much of the consumer and employee data is stored/ transferred in emails, meaning companies must manage email data with rigor. Therefore, now that GDPR has come into effect, enterprises must ensure proactive protection, access, and retrieval of emails. A good cloud data management solution like Vaultastic can reduce risks, optimize costs, and improve agility for businesses.
A simple framework to comply with data protection laws
Compliance with the data privacy laws of your target regions is a keystone of trust/transparency between businesses and consumers. Many businesses have difficulty determining noncompliant outcomes because they focus on mere procedures that they hold as guidelines. Just ensuring good internal processes doesn’t make a business necessarily improve its compliance posture. Businesses must adopt a holistic, rigorous approach to compliance with data privacy laws in their target regions.
We are talking about a cultural change, one that influences mindsets. Businesses should first understand that they are approaching an opportunity of earning their customers’ trust in this digital age. After installing this belief, they should proactively take the following steps to ensure compliance with data privacy laws:
- Conduct a preliminary internal privacy audit irrespective of which laws apply to the industry or geographic region.
- Find the gaps and close those by strengthening data processing locks internally.
- After this step, a company has moved from an effective position to an efficient position for initiating compliance operations. Businesses can then adopt an industry-specific approach to identify granulated data forms in the following categories: Data categorized based on the source of the collection; Records of associated customer/user consent along with the purpose of the collection; Lifeline of the data and records of respective uses/transactions
- Now that you have synthesized enterprise-wide data, it is time to define data transferability and erasure projections for the above structure. The powerhouse of data should be aligned to clear business objectives. In doing so, a business outlines a crystal picture of the governance framework, architecture, and data life cycle.
For example, an organization in the healthcare industry should understand HIPAA compliance and secure the adoption of electronic health records. The firm should know all digital communications, including email, cloud transfer, data storage devices, and employee exposure to data fragments. Consequently, this helps the firm comply with HIPAA by maintaining the confidentiality and availability of all users’ personal health information.
Besides compliance with laws, here are five benefits of data protection
Intellectual Property Rights Protection
Email retention can protect financial information, business plans, and product details from being stolen in case of email server hacks.
A tamper-proof cloud archiving solution can help achieve just that!
Protection Against Cyber Threats
In case a cyber-attack wipes out your PC, a safe cloud backup can help safely recover your mail.
Litigation And Ediscovery Support
In case of a lawsuit, email retention can help lawyers quickly retrieve old emails in an organized manner using eDiscovery.
Internal Dispute Settlements
Disputes are opportunities.
In case of disputes, archived emails help in reviewing the commitments/conversations to discover the truth and improve efficiencies
Organizational Competence is built over discussions, information & plans spanning long periods requiring massive efforts.
Much of this is captured in the daily exchange of email.
Email retention ensures that the entire knowledge repository is secure and easily accessible.
No matter where you are, one form or another of data protection laws, privacy laws and security laws govern the collection and use of data.
If you plan to put up a business in another country, and/or one that services customers in other countries, it is best to research the country or territory’s laws that govern data and information protection. This approach ensures that you build suitable systems to protect & secure your data and save your business the trouble of incurring penalties for non-compliance.
While protecting data to comply with the data protection and privacy laws will help you manage risks, it is also important to see how you can leverage the data repository to gain agility in the business.