Data is a valuable asset for all companies, regardless of the sector, market, product or service. All companies hold increasingly large and complex sets of data about individuals in some capacity, whether it relates to consumers, users, customers, vendors, or employees. Meanwhile, the number of different laws and regulations across the world that in some way govern how this information is handled by companies has dramatically increased in recent years. What does this mean for US companies looking to expand into new markets outside the US?
Just as there are a patchwork of laws that relate to personally identifiable information used in different industries and circumstances across the US, there is a myriad of laws covering this topic across Europe and Asia. As a company expands into these markets, either by targeting consumers or selling services to businesses in a new country, or by establishing a physical presence, it’s important to consider what requirements relating to data may be applicable. This is particularly so when it comes to the privacy rights of individuals in relation to that data. In some countries, there are very prescriptive requirements or sensitivities The way that a company approaches the assessment and management of these issues will ultimately have an impact, either positive or negative, on the success of a business.
Regardless of the country or region into which a company is expanding, it is company needs to have a thorough understanding of the way that its product or service will collect and use data that relates to an individual. The company should identify and assess the various types of data that it holds, the extent to which the data are essential to the provision of its product or service, and how the information is used, including whether it is for marketing purposes or shared with third parties. This requires talking to designers, engineers, developers, HR teams, IT specialists, and marketers. It is important to create a map of international flows of data, the role of key vendors, as well as security measures and governance structures that may already be in place. All of these issues are important in the assessment of the extent to which local data privacy laws apply to a company.
Since May 2018, the main data privacy law in the European Union has been updated and harmonized (to an extent) via the General Data Protection Regulation (GDPR). The GDPR requires companies to take a number of measures to ensure that information which identifies an individual located in the EU is processed fairly, transparently and securely. The GDPR also applies to companies without any physical presence in the EU if they are offering goods and services to individuals in Europe and/or are monitoring their behavior.
As well as requiring companies to use privacy notices and policies to convey relevant information about the way they are collecting and using personal data, the GDPR also means companies must carefully assess why they are collecting data, not collect more information that they need, keep the data accurate and not for longer than is necessary. Individuals have extensive rights under the GDPR including to access and delete their data. Companies must also ensure that they meet the requirements applicable to any data transferred outside of Europe and impose specific obligations on their service providers and vendors. But it’s not just the GDPR, there are other applicable laws covering security and data used in specific contexts, such as marketing, which must be considered.
In Asia, there are also a variety of laws focused on data privacy. With less consistency than Europe in approach, it is important to have a comprehensive compliance strategy in place. Some countries have laws that are very detailed and include concepts and requirements which are relatively aligned with the GDPR, such as in Australia, Japan and Singapore. Others have laws that are less developed and harder to apply in practice. In many countries there are also sector-specific laws, for example in financial services or life sciences. And while the regulatory focus in some is on privacy of personal data, other countries focus more on security requirements and data localization, which may require changes to the infrastructure that a company has in place.
To avoid falling foul of the complex patchwork of data privacy regulations, a company should have a clear idea at the outset of how it collects and uses data, and where it will focus its expansion or business operations, so that the laws of the relevant countries can be considered and applied.