In recent years, a huge number of differing privacy laws and data regulations have been introduced. For businesses acting globally, it’s crucial they understand what each one means and how they vary. Companies with a multi-national presence are required to operate within the scope of the various pieces of legislation and policy in force in each sovereign domain. In our ever increasingly digital world this is difficult to keep on top off as the boundaries can simply never cross.
Separately to this, much of the privacy and data regulation puts the protection around the individual and their right to govern where their personal data is kept, by whom and how it is used. These multiple laws and legislations show that people and their data are a single, growing entity in today’s world where the individual has many complex multi-faceted digital versions of themselves.
So, as a business what do you need to know? Truthfully, the list is endless, but understanding how other data regulations such as The New York Privacy Bill (NYPB), Australian data privacy regulations and Singapore’s Personal Data Protection Act (PDPA) – differ from EU GDPR is a good first step.
New York Privacy Bill
One of the differences between the NYPB and the GDPR is the level of protection expected for employee data records. While the latter covers all personal data belonging to any EU citizen, the former’s focus on ‘consumer’ data means workers aren’t included in the wording. As such, HR teams based in NY State don’t have to secure employee records with the policies and measures afforded to customer information.
Australian Consumer Data Right (CDR)
On the other side on the world, Australia’s new data protection law, Consumer Data Right (CDR), came into force earlier this year. Australian organisations that suffer a data breach have to notify the local data authority – the Office of the Australian Information Commissioner – as well as the affected individuals, if there is a potential for serious harm. Where this differs to the UK is, instead of the short 72-hour notification window provided by GDPR, Australia’s Privacy Act gives firms 30 days to assess the gravity of the breach before reporting it.
There are also discrepancies between the two rulings around consent. The Privacy Act references two types, ‘express’ and ‘implied’, while GDPR only recognises the former. Therefore, businesses operating across both regions should look to standardise consent collection processes to ensure compliance with both regulations.
Singapore’s Personal Data Protection Act
Similar to the GDPR, local citizens who want to check what data a company holds on them can request access, however, the organisation can charge a ‘reasonable’ administrative fee. More worryingly for Singaporeans however is the PDPA doesn’t contain any wording around data breach notifications.
There has unsurprisingly been much pressure on the government to make this change, and in May 2019 guidelines were launched that stated organisations are expected to take up to 30 days to complete an investigation into a suspected data breach, and notify the authorities of the incident 72 hours after assessment. But, these are only guidelines currently and it’s completely up to the offending organisation whether they disclose or not.
Keeping an eye on the ‘Big Five’
Google, Amazon, Facebook, Microsoft and Apple are the five biggest tech companies in the US. Their power individually and as a collective is staggering. As of January 2020, Google-parent Alphabet reached an £800 billion ($1trn) market valuation, pushing the total value of the five biggest tech companies to a record £4 trillion – a similar GDP to Germany, the world’s fourth largest economy.
These five companies slurp up and transmit data in almost all its forms. From the obvious, like web services, image recognition, and online communications – including messaging and email – business/IT and cloud infrastructure; to the not so obvious, such as driverless cars, artificial intelligence, database services and cybersecurity. What’s more, data is also transmitted through the lesser known high-performance computing, core internet infrastructure and data communication networks, including satellite, fibre optic and Wi-Fi. It’s evident that data, services and infrastructure can power commerce and an economy. This all happens within the bounds of the US, where the legislation and bills around privacy and an individual’s rights are some of the strongest in the world.
The power of data
For businesses, differing data regulations are notoriously complicated in a digital world where technical and sovereign boundaries can seldom be overlaid. This affects a number of data-driven areas including supply chain management, cybersecurity, business intelligence, fraud detection, compliance, finance and account management.
For the individual, privacy laws recognise the concept of data equity – built up over the course of natural life and property of the individual. At a national level this data equity turns into a sovereign asset, one that must be carefully protected, but also one that enables driving the commercial activity and technical innovation, thus the economy. It is no coincidence that US is the country with both the world’s largest amount of data and largest GDP at £16.36 trillion.
Everyday we are seeing a rapid growth of digitally oriented legislation. The power that data holds is immense which is why regulating it is so important. With each country each having their own slightly different rules, businesses must make sure they have a good understanding of the regulations where they’re choosing to operate. Failing to comply means also failing to reap the benefits of data, and ultimately facing the consequences of breaking the law.
By Martin Rudd, CTO of Telesoft