Global compliance with data protection regimes

← Back to index

India’s volume of data generated daily has skyrocketed, from social media interactions and financial transactions to healthcare records and transportation systems. Alongside the opportunity for innovation and growth, this development has raised concerns regarding privacy, security and fair usage of data and corresponding rights.

To address these challenges, governments worldwide have introduced, or sought to introduce, legislation to safeguard individuals’ privacy rights, prevent misuse of personal data, and ensure transparency and accountability in data handling practices across industries.

Compliance

Historically, data protection laws have been structured around ensuring the ethical and responsible use of personal data. They are rooted in fundamental privacy and human rights principles including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, quality, storage limitation, integrity, confidentiality and accountability.

Adherence and enforcement of these objectives are accounted for under the 50-plus jurisdictions that have enacted data protection legislation. Given that technology disintegrates national borders, extraterritoriality is a common feature among data protection legislation.

Businesses therefore have to strategically initiate data protection compliance depending on a multitude of factors specific to each business. These include: the size and nature of the business; whether it is a B2B or B2C player; countries where its offices are based; countries where its servers are hosted; countries where its customers are located; whether the business uses privacy-invasive technologies such as artificial intelligence; and the amount of funding the business is willing to allocate to privacy compliance.

Businesses may want to break down compliance by identifying a list of countries whose laws are applicable to them, and maybe opt for a primary jurisdiction – ideally one with robust data laws – and ensure compliance with its requirements. Subsequently, they can proceed to customise their approach for other countries by making jurisdiction-specific adjustments or additions gradually.

While specific details and implementation of these principles may vary across jurisdictions, the following are common considerations that arise from a global perspective. Each of these should be factored and customised for each jurisdiction whose laws apply to a business’s data processing activities.

1. Data inventories. As a first step to kickstart compliance, businesses should consider undertaking a comprehensive data inventory exercise to determine the scope of their personal data processing activities. The inventory should provide a detailed overview of: types of data collected; purpose for collection; sources of collected data; duration and format for retaining; and entities sharing it. This document typically serves as a foundational tool to aid with the next exercise – determination of actor characterisation under the law.
2. Actor analysis. Data protection laws typically define two types of actors – entities that control the purposes and means of processing data, and others that process personal data on behalf of the first. Numerous laws categorise the former as “data controller” and the latter as “data processor”, and impose more onerous obligations on the former than the latter. Some laws impose obligations on all organisations that process data. Therefore, businesses must identify and analyse their roles with respect to data protection laws that apply to them to accurately determine implications of the law to their processing activities.
3. Contracts. Businesses may consider creating standard data processing agreements (DPAs) to be signed with every customer or service provider they engage to process personal data, as appropriate. DPAs are an efficient means to contractually set out each party’s roles, responsibilities and liabilities with respect to the processing of data, protecting data, and breaching reporting obligations. While not all jurisdictions mandate DPAs, it is nevertheless beneficial to ensure that adequate arrangements for data protection are established.

   

4. Legal basis. Businesses should analyse their legal bases for processing personal data in a particular jurisdiction. Legal bases to process personal data tend to vary across jurisdictions. Certain jurisdictions place significance on consent, while others offer more diverse grounds for processing data. The most common bases of processing include consent, contractual necessity, compliance with the law, public interest and legitimate interests. This analysis is crucial for businesses to determine the scope of their offerings in each jurisdiction. A jurisdiction that requires reliance on consent, for instance, may require companies to review customer interactions, and may often require restructuring of these processes.
5. Children’s data. Businesses should also consider how children’s data is treated across jurisdictions, and identify how and whether they process it. Certain jurisdictions regulate processing of children’s data based on a tiered age system, where children between certain younger ages are subject to more enhanced protection. Others adopt a single-tiered approach for all individuals below adult age. The need to age-gate, seek verifiable parental consent, and in certain cases refrain from processing children’s data, are all factors that ought to be considered when rolling out a global compliance plan.
6. Individual rights. Data protection laws generally confer individuals with rights such as the right to access, correction, erasure, portability, restriction of processing and grievance redressal, among others. Although these rights may vary across jurisdictions, businesses have the ability to institute mechanisms that enable the seamless exercise of these rights by data subjects. To achieve this, businesses can: (a) appoint an officer to handle the front-end relationship with customers, particularly to respond to communications from customers (such as the data protection officer, where applicable); (b) institute a UI/UX journey to ensure seamless facilitation of data subject rights, such as putting in place a portal where individuals can submit specific requests for the exercise of their rights; and (c) set up internal mechanisms for request tracking, timeline maintenance, acknowledgments and role divisions, ensuring that refusals and replies comply with the law.

   

7. Security of data. A common thread in data protection laws is the requirement to establish suitable technical and organisational measures to safeguard personal data. It is essential for businesses to establish standard operating procedures (SOPs) across all their regional divisions to outline security protocols comprehensively. Examples of such protocols include encryption, access control, firewalls, multi-factor authentication, regular data backups and penetration testing. Businesses should also internally maintain: incident response plans that may be modified if necessary to set out procedures for the detection and identification of security incidents; remedial measures to contain the incident or prevent further damage; procedures for restoring affected systems and data to normal operations; and roles and responsibilities for reporting data breaches to the supervisory authority and/or data subjects, depending on reporting requirements under applicable law.
8. Policies and processes. Businesses should frame key policies to allocate responsibility within an organisation and establish certain standard operating procedures. These include: incidence response plans; data subject request policies explaining how to handle requests from individuals to exercise their rights; data protection impact assessment policies specifying types of data processing activities or events that require data protection impact assessments; data retention policies managing retention, storage and disposal of data within specified timeframes; and data inventory policies designating personnel responsible for updating and reviewing the organisation’s data inventory.
9. International data transfers. In particular, businesses should remain cognisant of restrictions imposed by data protection laws on cross-border data transfers. Data inventories may be used as a guide to identify countries to which they transfer data outside the host country. Subsequently, businesses should determine the most appropriate transfer tool for each country, conduct transfer impact assessments, and localise data where necessary.
10. Employment and HR activities. Data protection laws typically apply to the processing of personal data by employers as well. Some laws do make specific exemptions with respect to employee data, so companies with employees across jurisdictions should ensure that employee data is processed in accordance with the applicable law. Typically, larger organisations create employee specific privacy policies, CCTV policies, diversity, equality and inclusion policies, and bring your own device (BYOD) policies where personal data is concerned. There may also be instances where applicable laws require a formal employer-employee relationship to avail certain exemptions provided, so businesses should carefully evaluate how data of other categories of individuals – such as interns, consultants, contractors and part-time employees – are processed. Employers should also generally consider labour-specific legislation to align employee data retention periods, and how data scraping is treated among different jurisdictions, to ensure any background verification mechanisms they undertake are compliant with applicable law.

Takeaway

As technology continues to evolve and the use of personal data becomes even more pervasive, businesses will need to adapt to changing regulatory frameworks. Data protection compliance is an ongoing exercise, and businesses must regularly update their processes to keep pace with contemporary trends.

← Back to index