This series of posts presents a survey of the privacy regulations that you’ll need to understand in order to protect your business. We’ll look at the most significant nations and also provide you with the necessary resources for you to dig further on any specific country of interest.
As you read this, a slew of nations and U.S. states are working on digital-privacy regulations that will have a huge impact on your business. What’s more, these regulators work independently of one another, which is to say that regulations implemented by one government may not look the same as those implemented elsewhere.
What’s a business person to do? Get educated, of course! That’s why the Reference Desk exists.
But before you plunge into the country-specific regulations on privacy, you’ll need to answer one question: What business are you in? This is not an “industry” or “sector” question. You need to know exactly your business from a data privacy point of view.
For example, if your business collects personally identifiable information (PII), it doesn’t matter if you’re a widget maker, a dating service, or a trucking company. The fact that you collect PII is enough to tell us that you’re likely under regulatory scrutiny from someone, somewhere, and that you need to address this.
You might argue that there is no business that does not collect PII. How can you be in business and not collect some personally identifiable information? How do you bill your client? Obviously, you have the client’s PII.
You are right! We all collect some form of PII in the course of doing business. For that matter, we collect PII even if we’re not doing business with someone. If you meet someone at a networking function and exchange cards, you just exchanged PII.
Wait, does this mean we’re all liable under God-knows-how-many different privacy statutes? If a phone gets stolen, is the owner liable under some privacy law for all the stored contacts?
On an individual basis, the answer is no. Individuals will not be prosecuted under the various privacy laws. However, in the United States you could be sued for negligence or failure of fiduciary duty in civil court (if you were storing obviously sensitive data for others, e.g., medical or financial records of friends or relatives). But even in those cases the burden of proof is significant and varies from jurisdiction to jurisdiction. To be safe, you need to demonstrate that you have taken reasonable steps to protect your equipment that stores PII.
As a business, on the other hand, your liability—including personal liability—is very different. Regardless of the type of business, and regardless of the volume of PII collected, the expectation is that you will be able to prove that you’ve taken reasonable, prudent steps to prevent unauthorized access. You must also demonstrate that you took immediate action in the case of a breach: notifying those affected, notifying the appropriate authorities, and taking all the steps necessary to respond to the incident. More on that in later chapters, as we develop a privacy-centric incident response plan.
So back to the “What business are we in?” question. You need to know the volume and type of PII that you collect, store, and process (put more simply what kind and how much). You will also need to know how long you keep this data and how the data will ultimately be disposed of.
You need to perform this exercise, region by region wherever you do business. Then, you need to assess any privacy laws that may apply to your specific industry. Are you in health care? Are you working with children’s PII? Are you in financial services? Each industry, across geographies, has specific regulations governing privacy and data security.
What’s more, your business is impacted by privacy regulations on a few different-but-related fronts: data at rest (data storage), in motion (data transfer), and during data processing. When it comes to compliance, you’ll need to consider all these stages in the “life” of the data your company collects.
Sounds like a maze? You’re right, it is—and we need a way to navigate it. To find your way through this labyrinth of regulations, you’ll need to take ownership of this issue and partner with the right professionals both inside and outside your company. To do this, you’ll need to get familiar with the regulations that apply to your firm, based on your location, industry, business size, and data exchange between parties and then apply that knowledge to a privacy-by-design cyber- security program.
Can you do this? You bet. You’re already on your way by reading this.
Our journey will start in the United States. Pack lightly, we’re doing this with only a carry-on.