Nearly every business with a website collects some form of information from their viewers. They might ask for email addresses for newsletters and sales emails, or they may take down someone’s physical address for shipping. Whenever a business collects information electronically, that business needs to worry about protecting their customers’ privacy. It’s not just customers, however; businesses also have a moral and legal obligation to protect the private information they collect on their employees. And that’s why the European Union will soon enforce the General Data Protection Regulations (GDPR) on May 25, 2018.
Everyone who runs a business needs to understand global data protection regulation in each of the countries in which they do business. Read on to learn more about how GDPR can affect you global expansion.
How General Data Protection Works
While the moral duty to protect private information should be enough to motivate everyone to keep private data safe, the existence of data protection laws shows us that moral pressure has not been enough. Across the globe, countries have enacted various protections for different kinds of data with numerous reporting criteria. Violations of which carry penalties ranging from fines to serving prison time. Details on global data protection laws vary from country to country, and they are placed into several categories, including.
- Applicable laws
- Definitions for personal data
- Enforcement authority
- Data protection officers
- Collection, processing, and transfer
- Breach notification
- Electronic marketing
- Online privacy
General Data Protection in The European Union
The European Union passed a new, sweeping data privacy law, The EU General Data Protection Regulation (GDPR), on April 14th, 2016, but enforcement does not begin until May 25th, 2018. Until then, the 1995 European Directive is in force. Much of the GDPR clarifies or expands on the 1995 directive. This law applies not only to businesses established in the EU, but also to any data collection that begins or is processed in the EU.
Here are some of the key provisions of GDPR. The law defines personal data as “any information relating to an identified or identifiable natural person.” When using someone’s personal data, companies must:
- Use data only for the purposes it was given
- Collect only the data necessary for the purpose for which it was given
- Ensure the data is accurate and up to date
- Keep data in a form that permits identification no longer than necessary
- Process the data with appropriate security measures
Sensitive personal data, called “special categories,” is biometric or genetic data, and the protections for sensitive data are more severe and limited.
GDPR establishes that companies must appoint a data protection officer to monitor data protection practices and report to the appropriate government authorities when necessary. Finally, GDPR increases the penalties to up to a maximum 4% of a company’s annual global turnover or €20 million, whichever is greater, for serious infringements and up to 2% for less serious ones.
General Data Protection in Colombia
Colombia’s primary laws regarding data privacy are Law 1581 of 2012 and Decree 1377 of 2013. They apply to processors in Colombia and to those under Colombian law outside of country. Colombia also distinguishes between personal data and sensitive data. The definition of personal data is broad and states, “Any information that relates directly or indirectly to a living individual.” Sensitive personal data is any data that might be misused to lead to prejudice or discrimination.
When a business establishes a database with personal data, they have to register it with the National Registry of Databases. Here are some examples of what the law requires Colombian data controllers to do:
- Request and maintain a copy of the user’s authorization to the information
- Inform the user of the purpose of collection and data protection rights
- Guarantee that the data is truthful, complete, exact, comprehensive, and up to date
- Demand that data processors comply with security procedures
- Inform the national data protection authority of breachesViolators of data protection laws can face successive penalties of up to approximately $450,000 USD until the breach is remedied.
General Data Protection in the United States
The U.S. represents a particularly complicated set of privacy laws; the country has 20 sector-specific laws and that there are hundreds of state laws, each different from the other. California alone has 25 privacy and security laws. Additionally, the Federal Trade Commission may use its authority, on a case-by-case basis, to prevent materially unfair or deceptive trade practices when companies do not behave responsibly.
The U.S. does heavily regulate health information under Health Insurance Portability and Accountability Act (HIPAA) as well as children’s data under the Children’s Online Privacy Protection Act (COPPA). Outside of these areas, protection and enforcement varies from state to state, making compliance difficult.
Know Before You Grow
Every business should understand global data privacy laws, even if you are not looking to expand to a new country. Your data protection policies may fall under someone’s jurisdiction if they simply go to your website from places such as the European Union. Failure to comply with privacy laws can result in heavy fines, but that’s not always the worst of it. The public embarrassment of failing to protect your clients’ data to the standard they expect may affect your business even more than any fine could.
Staying compliant during a global expansion can be a heavy, complicated task, but there are resources including global consultants who can help you understand your needs in different countries, such as those surrounding data protection. To learn about these services, get in touch with our team today.