There’s no question: Data today is increasing at an exponential rate, and with it, so are data protection laws worldwide.
Not only is data increasing, but it is changing — growing in variety and velocity. EMC Corp., which conducts data analysis, believes the world’s information is doubling every two years. It is also flowing in and out of organizations at an unprecedented pace, posing new challenges in data governance.
In 2013, global risk consulting firm Control Risks commissioned a survey on legal executives’ attitudes toward data protection. More than 300 general counsel, senior level corporate lawyers, and compliance heads worldwide responded.
Not surprisingly, as data protection laws continue to increase on a global scale, many corporate executives are placing them as a top concern, the survey showed.
The majority of respondents (67 percent) expected the increase in global data protection laws to have an impact on their business. Survey respondents said they are concerned that regulators and political bodies are becoming stricter in enforcing data protection laws and that they are worried their organizations may inadvertently violate one of the many different data protection laws that exist.
Data protection is a complex issue for organizations, and global companies are specifically vulnerable. Keeping abreast of new laws and the regional nuances of regulations in all the countries where the company has operations is hard. In the event of an investigation, where data needs to cross borders, it is easy to fall foul of one set of regulations whilst trying the meet the requirements of another. Ensuring compliance across various legal jurisdictions takes comprehensive planning and management, particularly when facing an investigation.
Take the European Union (EU), for example. It is not only particularly strict when it comes to defining and enforcing data protection laws, but it also is a complex region due to the number of nations that have slightly different regulations. In October 2013, members of European Parliament voted on new laws, including one that would impose fines of up to €100m or 5 percent of annual worldwide turnover if companies breach the rules. Vice President Viviane Reding, the EU’s Justice Commissioner, has made it very clear in recent interviews that she wishes to see the EU’s already high level of data protection become the ‘gold standard’ for the rest of the world.
Other jurisdictions pose different problems. In China, for example, the vagueness of data privacy and state secrecy rules means it is hard to get advice that matches the reality of a given situation.
Navigating China’s data laws is perilous, especially when it deals with moving data out of the country because what is considered open economic information elsewhere may be deemed a “state secret” in China and moving such information out of the country can bring massive fines. Even transferring it from the mainland to Chinese regions such as Hong Kong or Macau can trigger problems. Simply being in possession of such sensitive data can be incriminating.
Along with recent high profile Chinese investigations, a lot of press attention, justifiably, has focused on the National Security Agency spying on EU nationals (among others) and Google’s reported noncompliance with Europe’s wide data protection rules. However, there are less sensational concerns that most businesses need to consider with regard to data protection. Those include how organizations manage transferring data across borders during the course of normal business and what to do when they face contentious matters such as legal disputes or internal or regulatory investigations.
Dealing with data when a litigation action or an investigation occurs is in itself a complex problem. Companies must ask themselves the following critical questions: Where is the potentially relevant data? Does it exist in multiple locations such as servers and laptops? Are these locations in different legal jurisdictions? Does the business have trusted relationships in place with organizations to manage the harvesting of this information? Are there litigation hold procedures in place and email/social media usage policies? How will the data be reviewed and searched to determine the strength or weakness of the company’s position? Will discovery/disclosure be necessary? Unless an organisation is clear on this information, it will take longer to conduct an investigation and the cost of doing so will be significantly more.
But just understanding the nature and scope of the data isn’t enough; a robust and comprehensive response plan to managing an investigation should also be in place. If a company is at fault in how it conducted itself, applying for leniency and demonstrating cooperation with the regulators is critical. But an organization can only do this effectively if a response plan — especially one that includes how to deal with personal data and cross border data transfer, particularly in multinational organisations — is in place.
In seeking to minimize the potential exposure to risk resulting from noncompliance with the data protection laws around the world, knowing and understanding the various regulations is just a first step. The second step is having an understanding of one’s own data in the context of these laws — i.e. what they say about how an organization’s data may or may not be handled. The first step is essential to ensuring and enabling the second.
The survey indicates that some organizations have not taken at least one of these steps. Those that have will more easily manage any disputes or investigations that may arise. Not only will they be able to react more nimbly, but they also are less likely to run afoul of the law in doing so. But even these proactive entities should bear in mind that data protection laws and one’s own data-flows and infrastructure are frequently moving targets.