Every business now has the potential to be global. There are new ways to operate in different countries and markets, and this brings with it extraordinary opportunities for organisations large and small. However, running a global operation poses its own set of challenges, especially when it comes to data regulation. For a company operating abroad there are three key factors you need to consider when handling data: What are the rules? How can you protect yourself? What you should do if something goes wrong?
The global regulation landscape:
Laws surrounding the protection and handling of data vary wildly across the globe. Below is a quick snapshot of the current situation in some of the biggest global markets:
The regulatory landscape in China is extremely complex, with laws around state secrets creating confusion for companies that operate there. The way in which information is handled is different and rules surrounding encryption can make it harder for westerners to deal with data lawfully. One example would be the issues suffered by GlaxoSmithKline and its British private investigator when they fell foul of Chinese data regulation laws. As a result it's essential to understand the potential implications for western firms.
When rules are not set out in stone, organisations can be more at risk as they do not have a specific framework they must adhere to. India is a great example of this, as over the past 15 years or so it has seen various attempts to introduce a definitive and comprehensive data protection act. India has had some data protection legislation in place since 2011 but the position is less clear than in other countries. As a result any company doing business in India will need to do its research before collecting or processing data there.
Data regulation across the United States is in a state of flux, with individual states having different rules, making the system somewhat disjointed. For example, notification requirements vary substantially between States. While the US does not have an all-encompassing national data regulation, the Federal Trade Commission has been known to fine firms that have failed to uphold their promise to protect data.
New laws scheduled to come into effect in September this year put a greater emphasis on keeping Russian data on Russian soil. These laws will have an impact on anyone doing business with Russia, regardless of business location, especially multi-national companies with a Russian presence. It will also affect online businesses as it will require them to distinguish the data that relates to Russian individuals and keep this stored in Russia. Failure to adhere to these rules could result in your firm being barred from operating there in the future.
How can you protect yourself?
The ramifications for losing data abroad are huge and companies need to make sure they are taking proper precautions.
A written agreement with your foreign partners and vendors is key. If you are passing customer details on to a third party based abroad you need to set out what you expect from them and agree the standard by which they'll look after your data.
Once you have asked the right questions and have an agreement in place, you must then audit against these standards. The level of audit will depend on several factors including the sensitivity of the data.
As well as these preventative measures it always worth considering insurance against any losses that may result from a data breach caused by your supplier.
What to do when there is a breach:
There is still a chance that a breach could happen, even with the best precautions in place. The ramifications will very much depend on where you lost the data, how sensitive the data is, whether it could be used for identity theft and who it belongs to. For example if you lose data on UK citizens abroad then you could face investigation by the Information Commissioner's Office, (ICO). Should a breach occur your firm will need to know what to do next. This could include:
- Involving law enforcement as soon as you can. This could be vital, especially if the attack has been a malicious one. Globally there are varying rules and requirements and you have to be sure you know what is expected of you.
- Identifying how many people have been affected, what data has actually been compromised, and where the victims are based.
- Establishing how the breach happened and stop it happening again. This could be fixing the vulnerability that caused the breach or taking down a compromised site.
- Getting in contact with the relevant authorities (such as the ICO), but make sure you have all of the necessary information to hand.
The global data regulation landscape is not a simple one, and any firm must show that precautions have been taken to protect and handle data appropriately. You must do your research, ensure you know your market, and take every preventative step you can.
Contributed by Jonathan Armstrong, data regulation lawyer at Cordery and adviser for Absolute Software