With privacy laws in rapid development around the world, businesses with global ambitions must implement an effective data strategy and improve ‘data hygiene’ within their organisations
More than 100 countries around the world have privacy laws, several with significant penalties for non-compliance. Most laws are based on a core set of privacy principles, but with significant local differences.
For instance, while several laws require organisations to display privacy notices/ policies to individuals describing their data practices, the details over what they are required to cover may differ.
Similarly, while some laws like the EU General Data Protection Regulation (GDPR) recognise sensitive categories of data with stricter consent requirements for data collection (biometrics, racial/ethnic information, etc.), others like India’s draft law do not recognise this distinction.
Indian businesses with global ambitions must therefore have a global data strategy.
Also, the more data you collect and store, the greater your risk exposure to breaches. Organisations with honeypots of data without a data/cybersecurity strategy can be prime targets for hackers.
Implementing core privacy principles – minimising the amount of data you collect, limiting access on a need-to-know basis, running checks before engaging any vendors, among others – can help plug vulnerabilities or gaps that often leave an organisation susceptible to breaches.
The spate of breaches of tech platforms like PolicyBazaar, Mobikwik and Zomato are reminders that breaches don’t just attract regulatory action, but can affect customer trust and reputation.
Even as India finalises its data protection law, businesses must therefore think seriously about data hygiene.
Adapting global best practices
Businesses can look to global best practices for guidance. Most data laws are based on similar principles, although their key objectives may be different.
For instance, the EU considers data protection a human right, and governs data collection and use with a heavy hand. The US regards business interests highly, while in China, state security is key, reflected in its local storage requirements. The triggers for the data protection law offer guidance on the region’s approach and priorities.
For businesses with global operations, the first step towards privacy compliance is to identify key markets for business – reviewing their data laws to understand key objectives, identifying a common minimum baseline, and developing policies/processes that can work globally, while being able to adapt to local nuances.
As a sampling of what this exercise could look like, this article examines breach reporting requirements across three privacy laws – the EU GDPR, Singapore’s Personal Data Protection Act (PDPA) and Japan’s Act on the Protection of Personal Information (APPI).
These requirements are also compared with India’s draft law, the Digital Personal Data Protection Bill 2022.
Baseline for breach notification
Most data protection laws require organisations to notify data breaches. They may however differ on: (1) what are data breaches and which breaches to notify; (2) when to notify; (3) who must notify – data controller or processors; and (4) who must be notified.
Regarding what breaches need to be notified, the GDPR is triggered when a breach likely results in a risk to the rights and freedoms of individuals. In addition to harming to individuals, Singapore’s laws are also triggered if the breach is likely to be of “significant scale”.
On notification timing, Europe and Singapore’s laws provide a 72-hour window. Japan’s law requires immediate notification, while providing a timeline of 30 days to submit a detailed report. India’s CERT-In directions require certain cybersecurity incidents to be reported within six hours.
On who notifies, the GDPR requires data controllers, Japan’s law requires the business handling personal information and Singapore’s law requires “organisations” to report breaches (as opposed to data processors or service providers who process data on the controller/organisation’s behalf).
In contrast, India’s draft law requires both “data fiduciaries” and data processors to notify breaches. Europe and Singapore’s laws also require data processors to notify data controllers of a breach, but such obligations are not explicit in Japan’s laws or under India’s proposed law.
Finally, on who needs to be notified, all four laws require notification to the respective regulatory authorities, and in some cases to the individual whose data is breached.
On mapping similarities and differences, a business may choose to apply the strictest standard across all regions. Or it may apply a baseline. In any case, an organisation must have a breach response policy in place to be able to respond effectively.
The authors wish to thank trainee associate Adhit Kulkarni for his research support.
T-7/402, Commonwealth Games
New Delhi – 110092 India