Yes, the laws most certainly do apply to your business. HereÕs what you need to know.
Any business with an international footprint needs to pay close attention to data privacy compliance. Even seemingly innocuous mistakes can be costly.
Although the global regulatory frameworks are indeed complex, you will be able to navigate them with the right support. The most important first step is simply realizing overseas data privacy laws most certainly do apply to your organization.
To become compliant, and indeed maintain this position, there are very specific steps you must take to keep your business and yourself out of trouble.
In this piece, weÕll discuss:
- Why should you care?: WeÕll review some of the most common penalties and punishments, and where they are the most enforced, not just across large corporations but also small businesses.
- International nuances: There is no single global data privacy framework; laws vary by country or region and understanding the vast differences is a gamechanger in your ability to take the right steps to be compliant.
- The two-part attack: This is a clearly laid out plan for what your organization needs to do to 1) get to compliance, and 2) maintain compliance year after year to meet ongoing obligations and keep up with changing regulations
- HSPÕs Word to the Wise: HSP GroupÕs own Data Protection Officer has prepared global data protection advice for 146 countries around the world and was involved in the creation of the UKÕs data privacy framework. WeÕll share our hands-on experience and advice.
Why should you care about data privacy compliance?
Compliance and data privacy are global trends that require companies to put more time and money into protecting data. These laws are all about the rights of a countryÕs citizens Ñ their rights as individuals, their right to privacy and their right to control how their personal information is used.
This isnÕt just data collected about your customers, but also of your own employees and contractors, so your HR departments will be tasked with managing documents and information throughout their life cycles. And, unfortunately, companies are also on the hook for data processing of all third parties you contract with Ñ a fact that may come as a surprise to many.
Do these questions apply to you?
Before we turn the spotlight on specific countries, letÕs focus on the data privacy laws that affect the EU and the UK. If you answer ÔYesÕ to any of the questions below, your company is required to be fully compliant with all of the EU and UK data privacy laws.
- Do you have employees or contractors in the EU/UK?
- Do you sell goods/services/technology to the EU/UK?
- Do EU/UK citizens visit your website?
- Is your marketing team monitoring behaviours of people in the EU/UK?
- Does your sales team respond to RFPs etc. from the EU/UK?
- Do you contract with vendors or third parties who do any of this?
To summarize, if you collect info from EU residents, youÕre subject to the whole of the requirements even if you have no entity in the EU or anyone working for you there.
What to keep in mind about compliance
When interacting with individuals in other countries, itÕs mission critical for companies to consider the local data position. The financial penalties for non-compliance can threaten to sink any business and the sanctions under many of the data protection regimes globally are penal. _There simply is no Ôpartial compliance.Õ
Keep the following in mind:
- Most countries issue fines based on an organizationÕs global revenue Ñ in the EU or UK, fines go up to Û20 million or 4% of global revenue, whichever is higher. In Brazil, itÕs $9 million and 2% of global revenue for each infraction. This is regardless of whether a company has any revenue overseas at all or even a physical location.
- Your companyÕs directors can also face personal sanctions. Right now, there are many Canadian directors being prosecuted under the EUÕs data privacy laws in Canada.
- And finally, when you think about your exit strategy, as part of a purchase process, the purchasing company contracts companies like HSP Group to do due diligence on your organization to make sure itÕs properly set up and doesnÕt carry risk. That risk includes data protection risk. So, if your company intends to be part of a sale, IPO or buyout, there will be massive amounts of due diligence performed which, in turn, will affect your valuation.
Does company size matter?
From what we have seen so far, the regulatory bodies are working tirelessly to ensure no one who is above the law. Here are just a few of the sizable fines issued by European governments recently:
Amazon Ñ $847 million from Luxembourg Ñ for the improper processing of customersÕ personal data and targeted advertising without proper consent.
H&M Ñ $41 million from Germany Ñ for making recordings of mandatory back-to-work meetings available to managers across the organizations without securing the consent of the attending employees.
TIM Ñ $32 million from Italy Ñ for a series of offenses, including regular calls to non-customers, many of whom were already on ItalyÕs do-not-call list. The aggressive marketing tactics of this Italian telecommunication company affected a few million individuals. (One person reportedly received 155 times in one month.)
British Airways Ñ $24 million from the UK (originally $210 million but reduced due to the impact of COVID-19 on the airline industry) Ñ for diverting user traffic to a hacker website for two months where 400,000 customers had their personal data stolen. BA had the proper policies in place, but when a cybersecurity attack led to a breach of UKÕs laws, the company had no way of tracking it.
Size doesnÕt matter
So, yes, fines are being issued, but will regulators really pay attention to a small business? If you fall into this category, know this: fines for small businesses make up the majority of the cases. Here are just a few examples:
Lifestyle Marketing, Mother & Baby Ltd._Ñ fined $172,000 for reselling the personal information of subscribers without their consent. The subscribers had signed up to receive free advice on pregnancy and childcare.
Tax Returned Limited_Ñfined $245,000 for sending millions of unsolicited marketing text messages.
DM Design Bedrooms Ltd._Ñ fined $196,000 for making 1.6 million unsolicited calls to people registered on the UKÕs Do Not Call list.
Secure Home Systems_Ñ fined $98,000 for making unsolicited calls to numbers obtained from a third-party list they purchased but did not screen to see if they had consent attached.
International nuances: Global data protection laws
Just about every country in the world has some form of data protection laws and they vary widely across borders. Over the last 10 years, international requirements have tightened, especially for foreign entities.
LetÕs take a closer look at the data protection laws in four large markets:
The General Data Protection Regulation (GDPR) is the Ògold standardÓ for data protection worldwide. GDPR was passed to strengthen data protection for individuals and unifies data protection across EU member states._ Referred to as UK-GDPR, the UK has adopted laws that are almost identical to GDPR._
China has had data privacy laws for some time but introduced in November of 2021 the Personal Information Protection Law (PIPL). If you are collecting data from individuals in China to sell goods and services to Chinese residents or to analyze their behavior, you will need to comply with these complex laws.
Under the new law, individuals of companies can be held personally liable and personally fined. If a US company is found to be in major breach and assigned a large fine, China may decide to hold the Head of Human Resources, the CFO, or Head of Compliance responsible with personal fines going up to $150,000.
The fairly low threshold for violations can lead your directors to be held criminally liable, which, in a worst-case scenario, could result in up to seven years of prison. Although thatÕs definitely not common, the PIPL can enforce this.
For that reason, we advise our clients in countries with such laws to ensure they have sufficient cybersecurity insurance for their entities, and also personal Directors & Officers Insurance for their senior staff. You should also keep in mind that, just like in Russia, companies must work off Chinese servers.
LGPD is a comprehensive framework that aligns broadly with GDPR. It consolidates more than 40 different regulations currently in effect. If you are collecting or processing data in Brazil or the data is processed for the purpose of offering goods and services to individuals in the country, the laws apply even if you have US headquarters. The enforcement and penalties started just six months ago.
In Brazil, every organization is required to have a Data Protection Officer. The officer doesnÕt necessarily need to be a ÔpersonÕ but a company, committee, or outsourced to a third party. Fines for non-compliance are up to 2% of revenue or a total maximum R$50 million per infraction._ Note: In Latin America, Colombia has separate laws specifically for financial institutions, including FinTechs, focusing on financial data protection, like credit.
In Mexico, The Federal Law on the Protection of Personal Data has been around longer than GDPR, but take note Ñ the law is not well defined and enforcement with real consequences is rare. ThereÕs also a gap in the law related to legitimate interest. At this point, there are no plans to change the federal laws to make them more enforceable.
Instead, the task falls on states to create laws to protect data. Mexico City has passed some new laws, but it remains to be seen how the federal government decides to regulate data privacy accountability._
That brings us to the two-part attack. Growing your company internationally is complex Ñ and now the list of things you need to consider also includes data protection and privacy compliance.
Get to compliance
- Assessment: Bring in experts to perform a comprehensive assessment of your organization to fully understand the rules you need to comply with in different countries based on your current or anticipated business activities.
- Action: Based on the assessment, the experts will map out the specific policies and procedures that need to be created within each privacy framework that you need to comply with and, then, create them for you.
As a general rule, youÕd be wise to leverage the help of industry experts to handle these steps. Questions that need answers include, for example:
- How will you actually report data breaches?
- Which vendors do you have today that sub-process personal data?
- How do you plan to update the contracts with these sub-processors to include the necessary language to ensure they are also compliant?
All of this needs to be circulated among your staff who will need training as many of your departments will have to incorporate these procedures into their day-to-day work.
To maintain and monitor compliance, you need to adopt the right infrastructure to:
a) log breaches;
b) track ongoing training requirements;
c) act as a database to store the policies;
d) track all of the above not just for your company but for your third parties who are sub processing personal data;
e) assess regulations annually as they change.
Do you know the required documents?
There are a number of documents that make up the policies youÕll need to create. LetÕs take a look at the some that are required under GDPR:
Policy 1 Ñ FPN
- Fair Processing Note (FPN): This is usually a detailed 10-page document that notifies your employees or contractors what data will be collected from them and why. If the data will be sent to a subprocessor like a payroll provider, that is also detailed. It doesnÕt need to be signed or agreed to Ñ itÕs just ÔservedÕ to the employee, usually by email.
Note: There are different versions for employees and contractors and it also varies between the EU and the UK.
You should also be aware disgruntled or newly fired employees/contractors are responsible for 75% of data complaints. They sometimes seek out an employment lawyer and start a phishing expedition to see what they can get.
Policy 2 Ñ Privacy
Policy 3 Ñ Data privacy
- Data retention policy: Retention is about how long you can or should keep data until you return or destroy it. The law says data should not be retained for longer than Ôreasonably necessary.Õ Some data should be retained longer than other data.
- Tax authorities: Most countries in the western world have tax authorities that require you to hold onto financial records about employees and contractors for a considerable amount of time (usually 10 years).
- Job interviews: If you are interviewing six people for one job, you canÕt immediately dispose of the resumes of the rejected candidates. The resumes should remain in your system for six to 12 months.
A cautionary tale
The National Health Service (NHS) is the largest employer in the UK with around 1.5 million employees. And, as this story illustrates, it also has a horrible track record with GDPR.
When one of the largest hospital trusts in the UK decided to dispose of microfilms that included the written medical records of 20,000 people, someone thought it was appropriate to toss them into a trashcan in the corner of a room. That night, the cleaners dumped the films into a larger bin to be collected in the morning. The trash collectors found the stack and alerted the Sun (the largest tabloid in the UK), which made sure the story reached its 8 million readers. The trust was fined millions of dollars.
Word of the Wise
Data privacy compliance should be baked into the DNA of a business, because it will affect your international strategy and operational structure. Getting to compliance is far from an impossible task. In fact, it doesnÕt have to take years or eat into your profits. All it requires is some careful planning.
So, final word:
- Hire experts who know what theyÕre doing.
- Let these experts a) assess your exposure internationally b) create the policies and procedures you need to become and remain compliant c) determine the needed level of cybersecurity insurance and D&O insurance coverage.
- Leverage the right infrastructure (technology solution) to log privacy breaches, meet training requirements, act as your policy database, and log/track your third parties (sub-processors).
We are here to help
Do you have questions for us about data privacy compliance and our corporate compliance services? Helping you successfully grow your business internationally is what we do. If youÕd like to watch a presentation of all of the above, make sure to tune into this recent webinar on ÒExpanding Globally Ñ Know Before You Grow.Ó
Please contact us at email@example.com.