Business opportunities are increasingly arising overseas, whether you’re a fledgling start-up or a Fortune 500. As you venture into the larger world, it’s worth to remember that at last count, over 80 countries have adopted data privacy laws. Laws and local attitudes about data privacy may be very different from your business as usual, wherever you call home. Here are some of the common misperceptions about what data privacy compliance is and isn’t.
1. Business Data and Documents are Not Personal Data.
Neither “privacy” nor “personal data” is necessarily about your personal life – in many countries, personal data is any data that can be used to identify an individual, even indirectly. And in some countries, company names are considered personal data.
2. Public Data Is There To Use.
Depending on the country, data published by a public body, or personal information posted by an individual on a public forum, may not be lawfully used by a third party.
3. We’re Compliant – We Have An IT Security Policy.
You’re subject to SOX, or voluntarily applying SOX control mechanisms. But those requirements don’t comply with many countries’ requirements for personal data security.
4. We’re Compliant – We’ve Got Everyone’s Consent.
Some laws do rely heavily on individual consent. Others consider consent to be invalid. As the Asia-Pacific region increasingly adopts consent-based laws, the EU is moving away from consent, especially for employees.
Although having a policy is always a good idea, in many countries it’s not a requirement. What’s a nearly universal requirement is putting individuals on notice. And chances are your “policy” is too detailed on some points and too general on others to constitute appropriate notice in all regions of the world.
6. We’re Compliant – We’re Following The Law.
You’ve set up a SOX whistle-blowing hotline, or maybe you’re conducting OFAC screening, cooperating with the FSA, turning over documents to your home office’s financial service authority, or responding to discovery requests – all of which can put you in direct violation of privacy laws.