Companies, websites, social media platforms all collect data. Your username, email address, any other ways to contact or identify you are part of your data. Personal data, or a combination of it, can be sensitive. For example, someone knows your name and social security number. If they can find out your mother’s maiden name, where you went to school, and so on, they can steal your identity, open bank accounts under your name, apply for loans or even commit crimes that could have a paper trail that leads right to you.
Nowadays, data protection is a global concern. We finally recognize that data needs to be protected; otherwise, it can be used to exploit. Hence, the creation of data privacy and protection. When we say data privacy, we are talking about who can access specific data. And when we say data protection, we are talking about the policies and laws that restrict access to data.
The GDPR (General Data Protection Regulation) applies to European organizations that process people’s personal data within Europe and organizations outside the EU that process or target people living within the EU. What GDPR covers is the collection, storing, and managing of personal data.
The GDPR has laid out a set of rules and laws that impacted organizations need to follow:
Unlike the EU’s centralized GDPR, the privacy laws in the US come in the form of vertically-focused federal privacy laws and the newer, state-specific laws.
The US Privacy Act of 1974 contains the rights and restrictions on US citizens’ data held by US government agencies. Like:
The Health Insurance Portability and Accountability Act (HIPAA) regulates health insurance in the US and includes data privacy and security.
The Children’s Online Privacy Protection Act (COPPA) protects children’s actual names and screen names, chat names, emails, photo and audio files, and location.
The Fair and Accurate Credit Transaction Act (FACTA) – FACTA applies to the financial services industry and regulates the data retention limits of businesses by observing the destruction of data after its final usage.
The Electronic Communications Privacy Act and the Computer Fraud and Abuse Act regulate the interception of electronic communications and computer tampering, as mentioned by Thomson Reuters. This data privacy law applies to all digital infrastructure development companies in the US.
California Consumer Privacy Act (CCPA) provides consumers with more control of personal information that businesses obtain from them. Considered a landmark law, the CCPA provides consumers with new privacy rights, namely:
There is no direct general federal law in the GCC (Saudi Arabia, Kuwait, Qatar, Bahrain, and Oman).
Notwithstanding, it would be incorrect to say that Data Protection or Individual Privacy is not regulated.
Various general laws cover aspects of ‘privacy’ as below:
The Qatar Financial Centre (QFC) addresses Data Privacy by the Data Protection Regulations (Regulation 6 of 2005), which the European Data Protection Derivative mainly drives.
“The sanctity of human privacy shall be inviolable, and therefore interference into the privacy of a person, family affairs, home of residence, correspondence, or any other act of interference that may demean or defame a person may not be allowed,” says, Article 37 of the Qatari Constitution.
The Dubai Healthcare City is regulated by Dubai Healthcare City Regulation No. 7 of 2008, and data protection in the DIFC is regulated by DIFC Law No 1 of 2007 (amended by DIFC Law No 5 of 2012) and by the Data Protection Regulations (Consolidated Version No.2 in force on 23/12/2012).
The DIFC enforces the law and imposes sanctions where the data controller is not compliant.
The Shariah Law is supreme, and it consists of tenets related to an individual’s privacy. Various sector-specific laws enact these principles:
Anti-Cyber Crime Law:
Anti-Cyber Crime Law punishes any person (by fine or imprisonment) who illegally accesses the computer without the prior’s knowledge or permission. Electronic Transactions Law regulates all forms of electronic communications.
KSA Monetary Agency Regulations for Consumer Credit (Credit Regulations):
KSA Monetary Agency Regulations for Consumer Credit (Credit Regulations) governs the exchange of information between borrowers and creditors through Articles 3.1, 3.2.
Healthcare Practice Code:
Healthcare Practice Code requires that a health practitioner safeguards and observes complete privacy regarding patients’ data.
Telecommunications Law:
Telecommunications Law restricts the service providers from sharing customer data with third parties and prohibits telephone tracking of the customers.
United Arab Emirates:
Article 31 of the UAE’s constitution speaks about freedom of communication and guarantees its secrecy following the law. The National Electronic Security Authority (NESA) ensures data storage, processing, and electronic transmission security.
APAC countries also have their laws regarding data protection.
Australia has the Privacy Act 1988 and the Australian Privacy Principles. These rules govern the collection, use, and disclosure of personal information; a company’s accountability; individual’s right to access and correct their data. These laws only apply to Australian or Norfolk Island government agencies. Australian companies with a turnover of more than AUD 3 million; or an Australian company with less than AUD 3 million but provides healthcare services, trades in personal information, or has opted-in to be bound by the APP.
South Korea’s Personal Information Protection Act (PIPA) is one of the world’s strictest and most comprehensive sets of data privacy laws. The fundamental principles of PIPA include transparency and lawfulness, data minimization, retention, harm prevention, and purpose limitations.
India has laws that safeguard electronic communications, such as the Information Technology Act 2000, SEBI, and most recently, the Data Protection Bill of 2018.
SEBI (Securities and Exchange Board of India) regulations mandate the systematic categorization, review, and retention of all critical business documents for 5 years in company systems, and after that, archiving it for another 3 years.
These regulations apply to banks, NBFCs, trading companies, and financial organizations in India.
With a further amendment in 2008, the IT Act 2008 act states that electronic records, including email as evidence, are permitted under the Indian Evidence Act, 1872, the Civil Procedure Code, and the Criminal Procedure Code.
The IT Act is a general law applicable to all organizations with an IT infrastructure.
As per IRDAI’s (Insurance Regulatory and Development Authority of India) guidelines of information and cyber security for insurers, electronic maintenance of core business records shall be hosted within India, with the data retention and destruction schedules to be defined by the organization.
The company should audit this practice, wherever applicable.
(Still to become an Act and come into effect)0
The ASEAN’s (Association of Southeast Asian Nations) combined GDP tops $2.6 trillion, the 3rd largest in Asia and 7th largest globally. With a population of over 600 million, the ASEAN market size is bigger than the EU or North America.
With this tremendous opportunity for economic growth, the ASEAN has committed to harmonizing legal infrastructure for e-commerce to integrate the e-ASEAN Sector. One of the goals of this strategic initiative for the ASEAN Economic Community (AEC) is to adopt best practices concerning cyber security and data protection. The Philippines, Malaysia, and Singapore are at the forefront of the Data Protection Policy framework and implementation.
Malaysia’s Personal Data Protection Act 2010 requires notification and consent of users for any data collection and its purposes. It also prohibits any disclosure of personal information not pre-declared to the customer. All information must be kept secure and must not be kept longer than specified in the privacy policy.
The Philippines’ Data Privacy Act (DPA) of 2012 made the country the second in Southeast Asia to impose a comprehensive data protection law. The National Privacy Commission actively implemented this law and established the rules and regulations.
Singapore’s Personal Data Protection Act 2012 (PDPA) is the primary governing law protecting individual privacy. The PDPA applies to all electronic and non-electronic communications that deal with data collection, processing, or disclosure within the country, regardless of whether they are in Singapore or not. This act requires companies to secure users’ consent, establish a reasonable purpose for obtaining the data and inform their users of all the data processes. Violators face penalties of up to 1 million Singapore Dollars or imprisonment for up to 3 years.
The Kingdom of Cambodia, on the other hand, is yet to announce its plans on formulating a national law on privacy and data protection.
Laos or The Lao People’s Democratic Republic has the Law Protection of Electronic Data (2017) and Law on Prevention and Combating Cyber Crime (2015), covering provisions relating to the protection of personal information.
Myanmar has Protecting the Privacy and Security of Citizens (Union Parliament Law 5/2017), which prohibits the interception of citizens’ electronic communications, private correspondence, and physical privacy unless otherwise warranted by an “order.”
The Kingdom of Thailand has its Personal Data Protection Act B.E. 2562 (2019) to protect its citizens’ personal information that state agencies are implementing.
Article 38 of Vietnam’s Civil Code 2015, sets the rules for the collection, storage, processing, use, disclosure, and publication of personal data.
The ASEAN adopted its regional declaration on privacy with its 2012 Human Rights Declaration. Article 21 of the declaration states that:
“Every person has the right to be free from arbitrary interference with his or her privacy, family, home, or correspondence including personal data, or to attack upon that person’s honour and reputation. Every person has the right to the protection of the law against such interference or attacks.”
The GDPR standardizes the data protection law across all 28 EU countries and imposes strict rules on controlling and processing personally identifiable information.
It gives the control back to EU residents. The GDPR ushers in better accountability and governance as it is comprehensive, strict and the penalty can be as high as 4% of the company’s total annual turnover.
The GDPR has provisions like Appointment of representatives, Sanctions, Data breach notifications, Accountability, Data Protection Officers, Individual rights, to name a few.
According to GDPR, any company performing operations on the data of Europeans or residents of the EU, irrespective of its location, must upgrade its software and servers to provide enhanced security and control to the customers.
Thus, GDPR means more significant financial implications to the company in terms of software, hardware, and appointment of human resources for the sake of compliance.
Businesses must create internal compliance processes for all the employees to fall in line with the GDPR. The concerned representatives have exposure to the legal authorities.
Companies must upgrade their offerings and projects to give their customers complete control over their data. The impact of the GDPR can be visible in various industry sectors like Travel and Tourism, Automobile, Hospitals, Hotels, and the Offshore Development Centre- the IT Industry in general.
The companies must navigate costly, time-consuming, and technically challenging obstacles like facilitating “data portability,” “data storage,” “notifications,” “data control,” to name a few.
Compliance with the data privacy laws of your target regions is a keystone of trust/transparency between businesses and consumers. Many businesses have difficulty determining noncompliant outcomes because they focus on mere procedures that they hold as guidelines. Just ensuring good internal processes doesn’t make a business necessarily improve its compliance posture. Businesses must adopt a holistic, rigorous approach to compliance with data privacy laws in their target regions.
We are talking about a cultural change, one that influences mindsets. Businesses should first understand that they are approaching an opportunity of earning their customers’ trust in this digital age. After installing this belief, they should proactively take the following steps to ensure compliance with data privacy laws:
Email retention can protect financial information, business plans, and product details from being stolen in case of email server hacks.
A tamper-proof cloud archiving solution can help achieve just that!
In case a cyber-attack wipes out your PC, a safe cloud backup can help safely recover your mail.
In case of a lawsuit, email retention can help lawyers quickly retrieve old emails in an organized manner using eDiscovery.
Disputes are opportunities.
In case of disputes, archived emails help in reviewing the commitments/conversations to discover the truth and improve efficiencies
Organizational Competence is built over discussions, information & plans spanning long periods requiring massive efforts.
Much of this is captured in the daily exchange of email.
No matter where you are, one form or another of data protection laws, privacy laws and security laws govern the collection and use of data.
If you plan to put up a business in another country, and/or one that services customers in other countries, it is best to research the country or territory’s laws that govern data and information protection. This approach ensures that you build suitable systems to protect & secure your data and save your business the trouble of incurring penalties for non-compliance.
