The Privacy Laws Landscape across the Globe is rapidly changing.

Executives in Indian Companies (large and small) often see these privacy terms being thrown at them- GDPR, CCPA, CPRA, DIFC Data Protection Law, PDPA, Australian Privacy Act, 1988 etc. and often wonder, are they even applicable to them when they are set out to build a global business from India! 

It is natural to be confused because when these Laws are found applicable, even though it could look like merely creation or updating a Privacy Policy on a website,

in reality,

first comes the review of the legislations, then allocation of budget, then putting a team together including Privacy Experts to implement and remain compliant, followed by alignment of practices across the departments with the requirements of the Laws; and finally, communication to stakeholders and employees about staying in compliance. 

We will discuss each of these steps in details at later blogs. 

It does not help much that News remains abuzz with regular incidences of major Companies being slapped with fines due to non-compliance. 

Therefore, the operational burden clubbed with the fear, makes the decision making tougher.

Unfortunately, with such a handicap in decision making, companies often decide to: 

Be Compliant in a haste or, Be Compliant Later or, Merely Look Compliant (by updating the Privacy Policy).

So, is there a better way to make this decision? 

Even though there is no shortcut towards Compliance, the initial decision making need not be tough. 

Let us read into the applicability of GDPR and CCPA, two of the most recent Laws and find the convergence of applicability.

Stay with us as we sail through the jargons next.

Two aspects govern the applicability of an Organization under GDPR: Material Scope and Territorial Scope

Art.2, states that regulation is applicable if an Organization is handling Personal Data, defines Material Scope.

Art.3, states that the regulation is applicable if an Organization has an establishment in European Union, 

     or offers services to data subjects (owners of the data) or monitors behavior of data subjects (we will  discuss what monitoring means in later blogs) who are based out of European Union 

     or in areas governed by the European Union by virtue of Public International Law (eg. Consulates),

defines Territorial Scope.

Under the CCPA, the applicability of an Organization is governed by the presence of the Organization in California or handling of Personal Data of California Citizens depending on a threshold requirement (more on this in later blogs).

So, when we breakdown the Legalese, it is your Organizations’ “footprint” along with "access to Personal Data" which matters significantly in deciding the applicability. 

So, now coming back to the point, when you are encountering that sudden surge of chatter in the office, you can fall back upon the following steps for the initial clarity.

Situation 1: You do not have a Privacy Program yet.

Ask. Quickly ask your external facing teams, eg. Demand generation and Sales team to confirm the countries where your customers are present. Ask your internal facing teams, eg. HR, Admin, Finance where your Employees or Vendor are present or deputed, and IT, where your cloud service provider store the data. These are all the places where you have “footprint”.

Check. Google is your best friend here. Quickly check if these countries have a Data Privacy Law. You may also check here

Decide. Note down the Countries where you have a “footprint” and "access to Personal Data", it is likely that your Privacy Program needs to cover compliance for Privacy Law in such a country. 

Situation 2: You have a Privacy Program, but you are moving your Sales focus into a new country or you hear a new Law is in the horizon (psst….You are likely hearing about that new Law in Dubai now)

Check. Quickly check if the countries where you are building “footprint” has a Data Privacy Law. Google it or you may also check here.

Decide. While building “footprint”, would you have "access to Personal Data".If both are true, it is likely that your Privacy Program needs to cover compliance for Privacy Law in such a country. 

Most Indian Companies, it is highly likely to have “footprint” and "access to Personal Data" transcending India.

A quick decision making, could help you with charting the path forward for you and allocate budget before you connect to an Expert to create or update the Privacy Program. 

We presume, you do not want to just “Look Compliant” by updating the Privacy Policy.