How to Navigate Data Protection Laws Across Borders
Every second, vast amounts of information are transmitted across the globe. The number of Google searches, Facebook posts and WhatsApp messages sent in a mere 60 second time frame is truly phenomenal. Smart Insights recently revealed that approximately 3.3 million Facebook posts, 29 million WhatsApp messages and over 149,000 emails are sent every minute. In this fast paced digital environment, ‘data’ has thus gained considerable momentum and has become the lifeblood of the global information economy today. With this rise in data, data protection and privacy have become vital components of business practice. Recent cyber-attacks have further sparked an increase in these laws in over 100 countries according to Privacy International.
Data and the customer experience
The last 10 years has witnessed an upsurge in innovation, globalisation and digitalisation that has empowered people with advanced technology. This has caused a shift in global communication as more businesses move their dealings online. In fact, e-commerce has emerged a vital driver of economic growth around the world. A survey conducted by the Centre for Retail Research showed that the online retail sector is the main driver for growth in European retailing, achieving growth rates in Europe of 15.6 per cent in 2016, and expected increases in 2017 of 14.2 per cent and 13.8 per cent in 2018.
Alongside this revolution is a notable difference in customer experience (CX) strategies, and most organisations today consider it business critical. Personalisation strategies and functionality have become core components of many customer experience programmes today. Coca Cola’s ‘named’ bottles took the social media world by storm when they were first introduced. Amazon is also a prime example of a brand that provides customers with customised content and tailored messaging. Amazon’s commitment to personalisation has resulted in ownership of a whopping 16 per cent of UK’s online retail market. Suffice it to say, in order to meet the customer demands of today, businesses are collecting and analysing more and more customer data.
Importance of data protection and privacy laws
While the internet is recognised as critical for the majority of economic and social activities across the globe, policymakers are becoming increasingly aware of its ability to be a source of vulnerability. The only way citizens and consumers will have confidence in both government and businesses, is if there are strong data protection laws and regulations in place. Insufficient data protection can have long-lasting consequences as it may create negative market effects by reducing consumer confidence and overall customer experience. Today, consumer protection it is a fundamental right. Data protection is needed to protect consumers against deliberate acts of misuse or the possibility of accidental loss and misuse of data.
While there are common themes and similarities to the laws introduced by different countries, there are also variations in the levels of security, requirements, penalties and even interpretations by regulators and auditors. To effectively safeguard personal information across markets worldwide, global operating companies must understand all risks and legal responsibilities across a range of data protection laws.
Difference in global data protection laws
Among the many regions that have passed data protection regulations, the European Union (EU) has stood out for its comprehensive approach over the years. The General Data Protection Regulation (GDPR), effective from early 2018, will impact many companies doing business globally. The law impacts any business selling goods and services in Europe specifically those that store, process or transfer any kind of personal data of EU citizens – including posts on social media, payroll processing and medical records. An organisation’s ability to transfer personal data outside of Europe is restricted under EU data protection rules. Those restrictions will remain in place under the GDPR. The regulation will revamp the way information is collected from customers and used by businesses. It is expected to cement privacy rights for 500 million EU residents and will impose substantial fines for misconduct (up to 4 per cent of annual global revenues) and a 72-hour breach notification requirement.
With Brexit around the corner, the British government has further announced that it will adopt the new GDPR while the country remains in the EU and echo it once it leaves.
Under the GDPR, Member States are given some flexibility to pass local laws and further specify the GDPR’s application. Germany, already known to have the most stringent data protection laws, is the first to do so, and more EU Member States are expected to follow soon. It is, therefore, becoming apparent that while harmonisation is the ultimate goal of the GDPR, there are still going to be some variations between member states.
In this context, the German Federal Parliament recently adopted the new German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) effective from May 2018. This new law replaces the existing Federal Data Protection Act of 2003 and is intended to adapt the current German data protection law to the EU GDPR. The new BDSG intends to protect personal data from being processed and used by both federal public authorities and private bodies. It further imposes specific data processing requirements with respect to video surveillance, and consumer credit, scoring and creditworthiness. In addition to the high fines imposed by the GDPR, the BDSG imposes fines of up to EUR 50,000 for violations regarding German law exclusively. Companies will further be obliged to appoint a data protection officer (DPO).
The United States on the other hand, has over 20 sector specific or medium-specific national privacy or data security laws, with different laws functioning among its 50 states. Additionally, there are a large range of companies that are regulated by the Federal Trade Commission. However, all the states within the U.S. follow a sectoral approach to data protection legislation, where the laws of data protection and privacy rely on a combination of legislation, regulation, and self-regulation rather than government interference alone.
France, however, protects data privacy of its citizens through The Data Protection Act (DPA) of 1978 (revised in 2004) and applies to the collection of information used to identify anyone. The rules apply to anyone collecting data located in France or those carrying out activities in an establishment in France. In 2014, Google France was fined for failure to comply with this and for violation of their privacy law.
China recently introduced cyber-security legislation banning the collection and sale of a user’s personal information. Firms within the country will have to store user data on servers inside China, and people will be given the right to have their information deleted. The Cyberspace Administration of China (CAC) said in a statement that the purpose is to safeguard China’s national cyber-space sovereignty and national security rather than to restrict foreign enterprises.
Less stringent laws in Australia are governed by Australia’s Privacy Principles (APP) – a collection of 13 principles guiding the handling of personal information. Companies are required to manage personal information in an open and transparent way, having an up-to-date privacy policy about how they manage personal information.
How can companies cope with global disparities in data protection?
A recent Veritas survey of over 2,500 senior technology decision makers, noted that individuals responsible for implementing a GDPR process also face a variety of risks if data is not handled properly. The survey showed that close to 40 per cent of companies were fearful of a major compliance failing within their business, and just under one-third (31 per cent) were concerned about reputational damage from poor data policies. Given already existing variations in implementation, companies will need to focus not only on the GDPR itself, but also on national law, as they prepare their compliance efforts. Given that the UK has one of the largest economies in the world, it is undeniable that these strict laws will have an impact on global business operations.
In order to continue executing superior customer experience strategies that mirror demands of personalisation today, decision makers must be wary of the differences in data protection laws in different markets. In practice, the first step towards successful compliance will be for businesses and their respective decision makers to know where their information resides and from where it’s being accessed. For companies with different office locations, the challenge will be working out which part of the data these changes apply to and determining which information currently residing in branches will have to be centralised to a geographical location compliant with the law.
Global and local businesses alike must ensure that any form of customer data is collected and stored in compliance with different country’s data protection laws. One example of this in practice is Pearl-Plaza using cloud data centres to enable the secure storing of customer data for European clients.
Furthermore, it is important that businesses allocate resources and educate themselves on the steps needed to comply with future regulations. Conducting comprehensive risk assessments in 2017 can help companies identify and fill gaps in existing data protection programmes. It is important to understand that some may need a full year to remediate, implement and test compliant procedures and policies, which may even include the purchase of new technology.
Finally, companies marketing to customers and prospects across borders must use this year to look for continued global legislation, enforcement activity and litigation regarding the interplay between telemarketing, email marketing and text message marketing and data protection laws and regulations, particularly.