Most mid-size to large companies now have a global presence and a requirement to share data with suppliers and customers across borders. As such, they face a growing body of international regulation on data sharing. A study by Thomson Reuters highlighted that 69% of firms expected regulators to publish more information on data privacy compliance in the coming year, with 26% expecting ‘significantly’ more.
Next year, the European General Data Protection Regulation (GDPR) brings increased compliance demands for the security and privacy of Personally Identifiable Information (PII) that cover every European country, including the UK. The financial penalties for cases of non-compliance will be substantial fines up to €20,000, or up to 4% of the organisation’s worldwide annual turnover for the preceding financial year, whichever is higher. There is also the significant cost of the new GDPR requirement to hire data protection officers – 28,000 in total worldwide, according to estimates from the International Association of Privacy Professionals.
In a global legal context, GDPR represents a drastic increase in regulation, policy, rulemaking and fines surrounding global data management. Global organisations that handle the personal information of EU data subjects must comply with GDPR restrictions on the transfer and processing of such data. US companies will need to certify as Privacy Shield compliant and subject themselves to oversight of US Federal regulators and European regulators after they certify.
Factors driving the need for improved data sharing
A broad range of factors is driving the need for better data sharing. Big data trends range from the explosion of data, through to the increasingly sophisticated discovery and analysis technologies that may be applied to structured data such as that held in databases, and unstructured data stored in audio or video format, SMS and social media. Data is also shared to meet the needs of sales, marketing, information governance programmes, regulation and compliance needs.
As data sharing becomes increasingly business critical, particularly across borders as firms seek to compete globally, legal professionals face a maze of international principles of data sharing. There are a number of practical steps they can take to reduce the risk of regulatory or compliance issues:
- Map current data collection activities. Map what data you hold, where it comes from and with whom you share it. The UK Information Commissioner’s Office (ICO) advises that at this point you identify your legal basis for carrying out data processing and document the legal basis on which you may come to rely. The ICO has produced some useful guidance for carrying out privacy impact assessments.
- Appoint a data protection officer. This is not a legal requirement in every sector, but it is a sensible step to have a named person to take responsibility for data protection compliance. At the same time, make sure that managers and leaders are aware of changes in the law and their responsibilities when it comes to sharing data.
- Demonstrate compliance through record keeping. Implementing policies and procedures around data compliance is vital, but so is demonstrating that you have actually followed them. Record keeping helps easily verify for regulators that you have followed your own rules for data management. Check also that you are deleting records as appropriate. It is important to be able to discover data on demand, for example to handle a subject access request within limited timescale. You must be able to provide data promptly and in a commonly used format to anyone who makes a legitimate request for it.
- Review consent and fair processing notices. It is necessary to obtain clear consent for retaining and processing a person’s data – and it is quite likely that existing consent and fair processing notices do not go far enough to comply with the incoming GDPR.
- Carry out thorough vendor security and data audits. The right data discovery and data review partner can help businesses get many of aspects of international data sharing right and smooth the path to compliance. Compile a list of pertinent questions to ask suppliers to check where possible compliance gaps may be when it comes to data sharing. What do they know about the principles of ‘data protection by design’ that are at the heart of GDPR? What procedures do they have for detecting, reporting and investigating a data breach?
Businesses need to find a discovery vendor that takes their data privacy issues as seriously as they do. Make sure that your discovery vendor is a leader in the data privacy sector and is as compliant as your business needs to be. Vendors should be Privacy Shield certified and should be able to withstand the same level of audit and scrutiny as the business when it comes to handling data.
Complying with global regulations around international data sharing is a major headache – and budgetary overhead – for large and complex organisations. Data protection has become a board-level issue – the risks of getting it wrong threaten the viability of the organisation, while getting it right can bring massive benefits in terms of efficiency and competitiveness on the global stage.
David Wallack (pictured top right) serves as global privacy and discovery counsel at NightOwl Discovery, where he provides the company expertise in legal matters related to providing global e-discovery services. His areas of practice include corporate transactions, privacy laws, cross-border data regulations, strategies for outsourced complex litigation, information governance, and broader organisational risk management.
Adam Rubinger (pictured above right) is the director of discovery management for NightOwl Discovery. He has more than a decade of experience and proven leadership in litigation support and information governance, as well as managing large-scale electronic discovery projects. Rubinger consults on high profile client engagements for many of the nation’s top 200 law firms and Fortune 500 corporations. He brings expertise in the areas of computer forensics, electronic discovery and IT security.
For further information about NightOwl Discovery please visit: http://nightowldiscovery.com