The Malaysian Personal Data Protection Act  “the act”

The Malaysian Personal Data Protection Act “the act”

The Malaysian Personal Data Protection Act 2010 (“the Act”) was written into law  on 15 November 2013. “The Act” mandates that businesses in Malaysia assume additional responsibilities and requirements when it comes to the processing of personal data of their employees, suppliers, and customers. This article provides an overview of  the key issues to note under the Act.

The Malaysian Personal Data Protection Act 2010 (“the Act”) applies to any person who processes and has control over or authorizes the processing of any “personal data” in respect of commercial transactions known as the  (“data user”). The Act also applies to persons not established in Malaysia (for example: international organisations), if they use equipment in Malaysia for the processing of personal data otherwise than for the purposes of transit through Malaysia.

 

Certain classes of data users (eg: licensed insurers; legal, auditing, accounting, engineering and architecture firms; housing developers; medical and dental clinics) are required to register themselves with the Department of Personal Data Protection.

 

HOW IS  PERSONAL DATA DETERMINED UNDER THE ACT ?

 

Predominantly, “personal data” covered by the Act is information that relates to a data subject who is identifiable from that information being processed or collected. This broad definition will cover data types  such as names, contact details, national registration identity card numbers, and passport numbers. Personal data also includes any sensitive personal data such as the physical or mental health information of the data subject, his/ her  political opinions and religious beliefs, and criminal convictions among others. 

 

WHAT IS REQUIRED BY THE ACT?

 

Under the Act, data users are required to adhere to  the 7 Personal Data Protection Principles. 

 

  1. General: Personal data can only be processed with the data subject’s consent.
  2. Notice and Choice: Data subjects must be informed by written notice of, among  other things, the type of data being collected and the purpose, its sources, the right to request access and correction, and the  choices and means by which the data subject can limit the processing of their personal data.
  3. Disclosure: Personal data may not be disclosed without the data subject’s consent for any purpose other than that which the data was disclosed at the time of collection, or to any person other than that notified to the data user.
  4. Security: Data users must take practical steps to protect the personal data from any loss, misuse, modification or unauthorized access or disclosure, alteration or destruction.
  5. Retention: Personal data shall not be kept longer than is necessary for the fulfillment of its purpose.
  6. Data Integrity: Data users must take reasonable steps to ensure that personal data is accurate, complete, not misleading and kept up to date.
  7. Access: Data subjects must be given access to their personal data and be able to correct any personal data that is inaccurate, incomplete, misleading or not up to date.

 

Maximum fines for various offences under the Act range from RM100,000 to RM500,000 per offence. On conviction, offenders may also be liable to imprisonment.

 

What steps can a business take to help achieve compliance 

 

If your organization is a data user under the Act, you should start considering the following actions:

 

  1. Conduct an audit to identify: 

(a) the types of personal data being collected and processed; 

b) the purposes personal data is being collected; 

(c) third parties to whom personal data is being disclosed; 

(d) how data subjects are being notified of the data processing

 

  1. Have a privacy  framework in place to ensure compliance with the Act. Appropriate policies and procedures regarding the collection, processing, retention and disclosure of personal data must be implemented. Where possible, appoint a team to manage issues relating to personal data and compliance with the Act.

 

  1. Be mindful that even if you have an existing global privacy policy in place, it may need to be reviewed and customized to match the Malaysian requirements. (For example, the Act requires personal data notices to be issued in both English and Malay).

 

  1. Key personnel must be trained on the application  of the Act. Compliance with the Act is not possible if employees do not understand the purpose of the Act or what they are required to do.

 

  1. Board level commitment . Given the severe consequences for non-compliance, it is imperative that senior management sets the tone and “buy in” the importance of complying with the Act.

 

  1. Have a system in place to continuously monitor compliance with your personal data policies and procedures, so that any gaps can be identified and addressed quickly.

 

While the additional obligations and responsibilities under the Act may appear troublesome to some, the Act is the right step towards bringing Malaysia’s personal data protection laws in line with the rest of the world as well as boosting investor confidence.

Learn More

 

 

What is the APEC Privacy Framework and Who has signed up to it?

What is the APEC Privacy Framework and Who has signed up to it?

What is the APEC Privacy Framework and the Cross-Border Privacy Rules? And Who has signed up to it 

 

 

The APEC Privacy Framework is a set of principles and implementation requirements that were created in order to be an enabler to effective privacy protections that avoid barriers to information flows which are so vital in the global data exchanges , and ensure ongoing  trade and economic growth in the Asia Pacific Economic Cooperation region of 27 countries. The APEC Privacy Framework set in motion the process of creating the APEC Cross-Border Privacy Rules system.

 

The CBPR ( Cross-Border Privacy Rules system.) system has now been formally joined by the United States, Canada, Japan and Mexico, with more nations soon to follow. The CBPR program is comparable  to the EU-U.S. Privacy Shield in that they both provide a means for self-assessment, compliance review, recognition/acceptance and dispute resolution/enforcement. Both systems require the designation by each country of a data protection authority (the U.S. enforcement authority is the Federal Trade Commission).

 

Unlike the GDPR, which is a directly pertinent  regulation, the CBPR system does not replace or alter   a members country’s domestic laws and regulations. Where there are no evidence of  applicable domestic privacy protection requirements in a country, the CBPR system is intended to provide a minimum level of data protection.

 

The privacy enforcement authorities of a country that takes part in the system should have the ability to take enforcement actions under applicable domestic laws and regulations that have the effect of protecting personal information consistent with the CBPR program requirements. 

 

As trade and cross border data agreements  exponentially grow global organisations cannot simply rely on being compliant on local privacy laws, Privacy compliance must now be thought of as a global umbrella or compliance with many regional and country laws nestling beneath the umbrella.

 

Relentless Global Privacy Services  helps clients meet the tough world of privacy regulations

 

 

Lets take a deep dive into the framework and how it compares to the GDPR

 

 

 

APEC Privacy Framework (or CBPRs)

GDPR

Purpose To develop effective privacy protections that avoid barriers to information flows, and ensure continued trade, and economic growth in the APEC region. To enable to free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Material scope Applies to persons or organizations in the public and private sectors who control the collection, holding, processing, use, transfer or disclosure of personal information. Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law.
Territorial scope Applies to the same extent that the laws of each member country apply. Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union.
Personal information Personal information means any information about an identified or identifiable individual. (same) Personal data means any information relating to an identified or identifiable natural person.
Data controller Personal information controller means a person or organization who controls the collection, holding, processing or use of personal information. Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processors APEC Privacy Framework and CBPRs do not apply to processors, only controllers. Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Publicly available information The APEC Privacy Framework has limited application to publicly available information. Notice and choice requirements, in particular, often are superfluous where the information is already publicly available, and the personal information controller does not collect the information directly from the individual concerned. The processing of publicly available information may be permitted for certain certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
Permitted member country variations (derogations) Economies implementing the framework at a domestic level may adopt suitable exceptions to scope that suit their particular domestic circumstances. 

The framework is not intended to impede governmental activities authorized by law when taken to protect national security, public safety, national sovereignty or other public policy.

Member States have discretion in a number of subject areas including: Supervisory Authority; Sanctions; Demonstrating Compliance; Data Protection Officers; Archiving and Research; Third Country Transfers; Sensitive personal data and exceptions; Criminal Convictions; Rights and Remedies; Processing of Children’s Personal Data by Online Services; Freedom of Expression in the Media; Processing of Data; Restrictions; Rules surrounding Churches and Religious Associations.

Exceptions to general GDPR applicability also exist for national security, public safety, and police powers.

Preventing harm principle Recognizing the interests of the individual to legitimate expectations of privacy, personal information protection should be designed to prevent the misuse of such information. Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

Notice

Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information. All reasonably practicable steps shall be taken to ensure that such notice is provided either before or at the time of collection of personal information. Otherwise, such notice should be provided as soon after as is practicable.

It may not be appropriate for personal information controllers to provide notice regarding the collection and use of publicly available information.

Where personal information is not obtained directly from the individual, but from a third party, it may not be practicable to give notice at or before the time of collection of the information.

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

The processing of publicly available information may be permitted for certain certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.

Collection limitation The collection of personal information should be limited to information that is relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Use limitation Personal information collected should be used only to fulfill the purposes of collection and other compatible or related purposes except: a) with the consent of the individual whose personal information is collected; b) when necessary to provide a service or product requested by the individual; or, c) by the authority of law and other legal instruments, proclamations and pronouncements of legal effect Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Choice and consent Where appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information. It may not be appropriate for personal information controllers to provide these mechanisms when collecting publicly available information. Permits the use of health-related personal data with explicit consent from the subject, unless reliance on consent is prohibited by EU or member state law. “Explicit consent” must meet a higher standard than consent for the processing of other forms of personal data — an individual must be clearly informed of the use of their data and take an affirmative action to demonstrate their consent.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data integrity Personal information should be accurate, complete and kept up-to-date to the extent necessary for the purposes of use. Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Security safeguards Personal information controllers should protect personal information that they hold with appropriate safeguards against risks, such as loss or unauthorized access to personal information, or unauthorized destruction, use, modification or disclosure of information or other misuses. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held, and should be subject to periodic review and reassessment. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Access and correction Individuals should be able to obtain from the personal information controller confirmation of whether or not the personal information controller holds personal information about them, and have access to information held about them, challenge the accuracy of information relating to them, have the information rectified, completed, amended or deleted. All of the above rights subject to a balancing of of the burden or expense of compliance, legal or security reasons, the protection of commercial information, the protection of the privacy rights of persons other than the affected individual. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and to access to the personal data and information about the processing including: what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject).
Accountability A personal information controller should be accountable for complying with measures that give effect to the Principles stated above. The controller shall be responsible for, and be able to demonstrate compliance with, the principles of the processing of personal data under the GDPR.
Transfer of personal data to another person or country When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles. When a controller sends data to another party to be processed, they are a processor and therefore must be bound by contract with the controller to protect the personal data.

Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by a binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification.

Breach definition There is no specified definition of breach under the APEC Privacy Framework or CBPRs. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Breach notification The APEC Privacy Framework does not directly address breach, but the principles support notification.

The Cross-Border Privacy Rules (CBPR) to which APEC economies must bind themselves to join, require that member countries impose rules requiring that data controllers contractually protect data by requiring notification to themselves by data processors, agents, contractors or other service providers.

The CBPRs do not require that member countries impose mandatory notification of breach to privacy enforcement authorities or data subjects.

The GDPR requires assessment of data incidents and prompt notification of breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons.
Breach mitigation (see above)

The APEC Privacy Framework requires that appropriate safeguards.

The CBPRs require the applicant country to describe how it enforces a requirement to have technical (authentication and access control, encryption, firewalls and intrusion detection, audit logging, monitoring, etc.) and administrative (training, policies, enforcement, etc.)

Safeguards.

Notification to data subjects is not required if:

the controller has implemented appropriate technical and organisational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or 

the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or

it would involve disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

Comparing South Korea Personal Information Protection Act to GDPR

Comparing South Korea Personal Information Protection Act to GDPR

Comparing South Korea Personal Information Protection Act to GDPR

 

South Korea’s substantial Personal Information Protection Act ( PIPA) was enacted on Sept. 30, 2011.  PIPA is known for being one of the world’s strictest privacy administrations. 

PIPA has many similarities to the GDPR, it protects privacy rights from the viewpoint of the data subject and it is wide ranging, applying to most organizations, even government entities. 

It is not only applicable and robust, but its penalties — which include criminal and regulatory fines and even imprisonment — are vigorously  enforced.

 

On June 30 of last year, South Korea became the fifth member to join the APEC Cross Border Privacy Rules, joining the U.S., Japan, Canada and Mexico.

As trade and cross border data agreements  exponentially grow global organisations cannot simply rely on being compliant on local privacy laws, Privacy compliance must now be thought of as a global umbrella or compliance with many regional and country laws nestling beneath the umbrella.

Relentless Global Privacy Services  helps clients meet the tough world of privacy regulations

Find out more about our comprehensive South Korea Data Privacy Service

Find Out More

 

The below table compares aspects of the GDPR directly with South Korea’s PIPA.

 

 

South Korea’s Personal Information Protection Act

GDPR

Purpose

To provide for the processing of the personal information for the purpose of enhancing the right and interest of citizens, and further realizing the dignity and value of the individuals by protecting their privacy from the unauthorized collection, leak, abuse or misuse of personal information. To enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
Material Scope Applies to any public institution, corporate body, organization, individual, etc., that manages personal information directly or via another person to administer personal information files as part of their duties. Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law.
Territorial Scope Although the territorial scope is not specified in the law, the standard for enforcement of South Korean data protection law is similar to the GDPR in that companies established in South Korea are certainly subject the law, and foreign companies that target South Korean users are likely also within the ambit of enforcement action. Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union.
Personal Data “Personal information” means information pertaining to any living person that makes it possible to identify such individual by their name and resident registration number, image, etc. (including the information which, if not by itself, makes it possible to identify any specific individual if combined with other information). Personal data means any information relating to an identified or identifiable natural person.
Sensitive Personal Data Sensitive personal information pertains to ideology, belief, joining and withdrawing from trade unions or political parties, political opinion, health, sexual life, criminal history dat, and DNA information acquired from genetic examination, as well as other personal information that, if processed, is likely to infringe the privacy of data subjects. Special categories of data that are considered particularly sensitive are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data Controller The act does not distinguish between controllers and processors. Both a controller and a processor are considered a “Personal information processor.” Means the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processors “Personal information processor” means a public institution, legal person, organization, individual, etc. that processes directly or indirectly personal information to operate personal information files for official or business purposes. Because the act does not distinguish between controllers and processors, it is important to note that processors in South Korea are subject to many requirements that are reserved for controllers under the GDPR. Means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Publicly Available Information There is no specific exception to applicability that relates to publicly available information. The processing of publicly available information may be permitted for certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
Preventing Harm Principle The law provides that state and local governments shall devise policies to prevent harmful consequences of beyond-purpose collection; abuse and misuse of personal information; and enhance the dignity of human beings and individual privacy. Preventing harm is also expressed as a reason for certain personal information to be classified as sensitive. Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Lawfulness, Fairness and Transparency The personal information processor shall make the personal information processing purposes explicit and specified and shall collect minimum personal information lawfully and fairly to the extent necessary for such purposes. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose Limitation An information processor should use personal information only for the purposes specified to the data subject in any applicable consent. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data Minimization A personal information processor should collect only the minimum amount of personal information necessary for the purposes specified to the data subject. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy The personal information processor shall ensure the personal information is accurate, complete and up-to-date to the extent necessary to attain the personal information processing purposes. Personal data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay. 

Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Storage Limitation The personal information processor shall inform the data subject of the duration of data retention when obtaining consent for processing as well as make efforts to process personal information in anonymity, if possible. Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this regulation in order to safeguard the rights and freedoms of the data subject.

Notice

The personal information processor shall make public its privacy policy and other personal information processing matters. The privacy policy must disclose: 

· The purpose of personal information procession. 

· The period for processing and retention of the personal information.

· Any provision of the personal information to a third party (if applicable).

· Any consignment of personal information processing (if applicable). 

· The rights and obligations of data subjects and how to exercise the rights. 

· Other matters in relation to personal information processing as stated in the Presidential Decree.

Articles 12, 13, and 14 address the requirement that a data controller provide notice to data subjects of processing that is concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge. 

The notice must contain: 

· Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer 

· Purpose of the processing and the legal basis for the processing 

· The legitimate interests of the controller or third party, where applicable 

· Categories of personal data 

· Any recipient or categories of recipients of the personal data 

· Details of transfers to third country and safeguards 

· Retention period or criteria used to determine the retention period 

· The existence of each of data subject’s rights 

· The right to withdraw consent at any time, where relevant 

· The right to lodge a complaint with a supervisory authority 

· The source the personal data originates from and whether it came from publicly accessible sources 

· Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data 

· The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

Choice and Consent The law specifies that when obtaining consent from the data subjections, the personal information processor shall notify the data subjects of the fact by separating the matters requiring consent and helping the data subjects to recognize it explicitly. When obtaining consent for processing, the personal information requiring consent should be segregated from the personal information not requiring consent. 

The personal information processor shall not deny goods and services on the basis that the data subject did not consent to certain processing (such as agreeing to receive solicitations).

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 

If the data subject’s consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

Integrity and Confidentiality The act imposes detailed technical and administrative measures for the security of personal information. The personal information processor shall take such technical, managerial and physical measures as internal management plan and preservation of log-on records, etc., necessary to ensure the safety so that personal information may not be lost, stolen, leaked, altered or damaged. Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Accountability The personal information processor must appoint a privacy officer. 

The Minister of Public Administration and Security has the right to request goods and documents that demonstrate compliance with the law and to enter the premises and inspect if the personal information processor fails to furnish the materials.

The controller must appoint a data protection officer. 

The controller shall be responsible for and be able to demonstrate compliance with the principles of the processing of personal data under the GDPR. The controller and the processor shall designate a data protection officer where processing requires regular and systematic monitoring of data subjects on a large scale or the core activities of the controller or the processor consist of processing on a large scale of special (sensitive) categories of data or personal data relating to criminal convictions and offenses.

Access and Correction The data subject has the right to demand access to and suspend processing of, and to make correction, deletion and destruction of their personal information. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and to access the personal data and information about the processing, including what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject).
Data Portability Data subjects may demand access to data, with some exceptions. The law does not specify that access must be in the form of an export or other form of portability. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Transfer of Personal Data to Another Person or country A data protection agreement must be in place between the personal information processor in the context of any outsourcing. This requirement applies also to international personal information transfers. 

The personal information processor must also inform data subjects when the personal information processor provides personal information to a third party overseas, and the personal information processor shall not enter into a contract for unlawful cross-border transfer when it obtains consent.

When a controller sends data to another party to be processed, they are a processor and therefore must be bound by contract with the controller to protect the personal data. Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification.
Breach Definition The law does not define a breach, but refers to it as an event where personal information has been breached. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
Breach Notification The personal information processor must notify the aggrieved data subjects without delay when it becomes aware that personal information has been breached. 

Breaches that affect more than a certain number of individuals as set forth in a presidential decree must be disclosed to the data protection authority.

The GDPR requires assessment of data incidents and prompt notification of the breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons.
Breach Mitigation There’s no specific provision that allows for a harm or risk test or application of mitigation to avoid the requirement to notify of a breach, but the personal information processor is obligated to take countermeasures to minimize damage. Notification to data subjects is not required if: 

· The controller has implemented appropriate technical and organizational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular, those that render the data unintelligible to any person who is not authorized to access it, such as encryption; or 

· The controller has taken subsequent measures that ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialize; or 

· It would involve a disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

 

 

Changes to Hong Kong’s Data Privacy Law: What They May Mean For  Your Business

Changes to Hong Kong’s Data Privacy Law: What They May Mean For Your Business

In the wake of a massive data security breach in 2018, Hong Kong is finally carrying out a much needed overview of it’s PDPO data protection regulation. Relentless Privacy & Compliance outline the upcoming changes and the impact on global businesses.

 

When the European Union first introduced the General Data Protection Regulation (GDPR) back in 2016, many countries, cities and regions around the world were quick to take notice. Seeing how successfully GDPR was implemented two years later, those same areas sprung into action, revising their own data privacy laws to better reflect and cope with the needs of today’s digital, data-driven economy.

 

Before long, we had The Standard from China, the LGPD from Brazil and Japan’s APPI among others.

 

Yet while all this was going on, one region once considered a pioneer in the world of data protection law found itself very much lagging behind. Back in 1996, Hong Kong became one of the first countries in Asia to come up with its own regulations around data privacy. Known as the Personal Data Privacy Ordinance (PDPO), the law was largely considered to be ahead of its time when it first came into force. Yet that was 23 years now. Now, almost a quarter of a century later, the world is a very different place and PDPO, according to many of its much staunch critics, simply fails to reflect that.

 

Revisions to PDPO

 

sure, the law has seen the occasional update.

 

Hong Kong has its own Privacy Commissioner for Personal Data (PCPD), a role currently held by Stephen Wong.  The PCPD has a statutory obligation to review the Hong Kong data privacy law, having last done so in 2012.

 

The result of that review resulted in new restrictions being placed on direct marketers though many people at the time, and especially now years later, have argued that such changes simply weren’t enough to protect the personal data and privacy rights of individuals in modern society. Last year, Wong finally relented and agreed to carry out another review which many hope will result in the changes needed to bring PDPO in line with GDPR and other modern data privacy laws.in

 

Today, global data protection consultants Relentless Privacy Compliance take a break from helping organisations ensure frictionless compliance with global data privacy laws and take a look at what these changes are likely to be.

 

Why is the Hong Kong Data Privacy Law Being Reviewed Now?

 

2018 saw one of Hong Kong’s biggest ever data security breaches as the personal data of some 9.4 million individuals were stolen from airline Cathay Pacific. The privacy breach was the last straw for critics who argued that it served as proof that the current law was no longer fit for purpose. Responding to such criticism, and drawing inspiration from GDPR, Wong admitted that changes were needed and promised to carry out a review.

 

So far, industry insiders are expecting the review to result in changes to the four main areas in which PDPO fails to hold its own against other international data protection laws.

 

These four areas are:

 

1: Data breach notifications

 

Under GDPR, data processors and controllers are required to report data breaches within 72 hours.

Since updating their privacy laws, many other parts of the world also have similar requirements in place yet so far Hong Kong does not.

Going forward, we should expect to see the rules change so that data subjects affected by a breach will need to be notified within a reasonable timeframe from when the breach occurred.

If your business deals with Hong Kong data subjects then you may want to keep an eye on the Relentless Privacy & Compliance blog or follow us on social media, where we’ll be sure to report on the exact rules that Wong and his team come up with.

In the meantime, consider how your data breach strategies for GDPR can be adapted to PDPO.

 

2: Non-Compliance Penalties

 

Incidents such as the Cathay Pacific breach have raised concerns that penalties for non0-compliance are not sufficient enough to motivate organisations into fully protecting the personal data they hold.

At present, if a company fails to protect personal data or falls short of PDPO rules in some other way, then the worst thing that happens is that they receive an enforcement notice ordering them to fix and prevent the issue from happening again.

Only if they fail to act on this notice does the Office of the Privacy Commissioner for Personal Data really hit organisations where it hurts; maximum fines of up to 50,000 HKD (roughly £5,000 GBP) and two years in prison can be issued, though most critics argue that this isn’t enough.

They expect Wong’s team to bring penalties more in line with GDPR, which currently imposes fines of up to 20 million euros or 4% of global turnover depending on which one is higher.

 

3: Data Processors

 

Under GDPR, both data processors and controllers have an obligation to comply with the regulations whereas PDPO only currently applies to controllers. Since a large majority of data breaches occur at the processor level many insiders say that this is neither sufficient nor fair.

The upcoming changes are likely to address this by making processors equally accountable.

 

4: International Data Transfers

 

Section 33 of PDPO actually prohibits international data transfers except under certain circumstances, which are:

  • The recipient country is included in a “white list” issued by the PCPD
  • The data user reasonably believes that the recipient country has laws substantially similar to, or which serve the same purpose as, the PDPO
  • The data subject has consented to the transfer
  • The data controller has reasonable grounds for believing that the transfer is necessary to avoid or mitigate any adverse action against the data subject, and it is not practicable to obtain the data subject’s consent; but if it were practicable, the data subject would provide their consent
  • The data user has taken all reasonable precautions and exercised due diligence to ensure that the personal data will not be used in a manner inconsistent with the provisions of the PDPO

Yet despite being enacted in 1995, Section 33 has never yet come into operation.

The upcoming review by Stephen Wong is likely to address this by first bringing Section 33 in line with GDPR Articles 44 through 49 which deal with data transfers, and then finally putting it into operation for the first time in the long and troubled history of the Personal Data Protection Ordinance.

Need expert advice preparing for changes to Hong Kong’s data privacy law? Looking for a simpler solution to map all of your current international data protection methods?

Talk to Relentless today about how our global privacy service can help your organisation enjoy frictionless compliance in a way that provides long-term added value. Contact us online to arrange your initial consultation or call now on +44 (0) 121 582 0192

 

GDPR and LGPD: The Differences between the EU and Brazil’s Data Protection Laws Your Business Needs to Know

GDPR and LGPD: The Differences between the EU and Brazil’s Data Protection Laws Your Business Needs to Know

As Brazil readies itself for the arrival of its new General Data Protection Act in February 2020, we outline how it differs from GDPR, and what those differences mean for businesses like yours.

It’s a familiar story that’s been told with ever-increasing frequency over the past 18-months: Inspired by the European Union’s success in rolling out the game-changing General Data Protection Regulation (GDPR), one country after another revamps and revises their national privacy laws to better reflect the needs and concerns of today’s data-driven society.

We’ve seen it in California with the CCPA, we’ve seen it China with The Standard, and we’ve recently seen it in Japan with the APPI.

Now, it’s Brazil’s turn, as the country gets set for the imminent arrival of its own General Data Protection Law, known in Portuguese by the acronym LGPD. Yet while other countries have been content to simply adopt the basic principles of GDPR as their own, Brazil has ushered in a few notable changes that business dealing with the personal data of Brazilian data subjects should be aware of.

Today, global data privacy specialists Relentless Privacy and Compliance outline exactly what those changes are, how GDPR and LGPD are different, and what your business may need to do to ensure frictionless compliance with the new Brazilian law.

Before we do that, however, let’s take a look at a few LGPD facts that you’ll find it helpful to know:

Brazil’s General Data Protection Law: What is it, and What do You Need to Know?

Back in August 2018, then-President Michel Temer sanctioned a new data protection law for the country

Like similar laws elsewhere in the world, the new law applies to all businesses and organisations who process or control personal data of people within Brazil, regardless as to where those businesses and organisations are based. So, if you’re a business based within the EU but people in Brazil can access goods or services from you via your website, then you need to be LGPD compliant in order to process the data you need to provide those goods or services.

When does LGPD Come into Force?

If this is the first time you’re hearing about the new law, there’s no need to panic just yet. Despite being sanctioned last summer, the law isn’t due to take effect until February 2020, giving you plenty of time to prepared. That is if you even need to prepare at all. With a number of similarities between GDPR and LGPD, duplicating and expanding on your current data protection efforts may not be necessary. In fact, even what few differences there are may make life a little easier for you if you do carry out processing activities with Brazilian personal data. With that in mind, let’s take a look at how GDPR and LGPD compare, and what this comparison means for your business.

How GDPR and LGPD are Similar

The basic fundamentals of the two are the same.As we’ve already discussed, both are applicable to any business or organisation that processes the data of people within their respective areas (Brazil and the EU), regardless as to where that processing is actually carried out. Likewise, regulations regarding international data transfers are in place in Brazil, and anyone affected by this would do well to follow the best practices and procedures that they use for GDPR.

Other key similarities include:

Data Subject Access Requests

As in the EU, data subjects have the right to request access to their data as well as the right to be forgotten.

Data Protection Officers

Article 37 of GDPR states that your organisation will be required to legally appoint a Data Protection Officer (DPO) if:

  • You’re a public authority (except for courts acting in a judicial capacity)
  • Your core activities require “large-scale, regular and systematic monitoring of individuals
  • Your core activities consist of “large-scale processing of special data categories of data or data relating to criminal convictions and offences.

However, even if you don’t fall into one of the above categories, the Article 29 Data Protection Working Party recommends hiring a DPO anyway as a means of best practice.

Brazil’s stance on the matter is very similar, and your compliance consultant at Relentless can help you determine the best DPO solution for you should you need to appoint one.

Data Breaches

Brazil’s position on reporting breaches is similar to GDPR in as much as both state that breaches must be notified, however, this is one area in which the two do differ. We’ll cover those differences below.

How are GDPR and LGPD Different?

One of the major differences between the two with regards to data breaches is that Brazil appears to be much more flexible in terms of how and when breaches must be reported.

Article 33 of GDPR states:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

Brazil is much less specific. LGPD Article 48 states that breach notifications must occur within a reasonable time, to be defined by the national authority.”This becomes all the more vague when you consider that -at time of writing- Brazil doesn’t actually have a designated national authority enforcing LGPD. Attempts to create one were vetoed by Michel Temeron a technicality, though President Temer did insist that agencies similar to the ones proposed would eventually be created. In the interim, breaches can be notified to Ministério Público do Distrito Federal e Territórios (the Public Prosecutor Office of the Federal District) which has a portal for reporting breaches and may carry out civil investigations on them if necessary.

Legal Bases

The most talked about the difference between the two concerns the legal bases for processing data.

Under GDPR, your business has six legal bases which are:

  1. Explicit consent
  2. Contract performance
  3. Public task
  4. Vital interest
  5. Legal obligation
  6. Legitimate interest.

For a definition of these bases, see our guide to baseline GDPR compliance.

Under LGPD, the number of legal bases has been expanded to 10. These include.

  1. Consent
  2. Legal obligation
  3. Implementation of public policies by the public administration (public task)
  4. Research by public study entities
  5. Contractual performance
  6. Exercise of rights in legal proceedings
  7. Life protection (vital interests)
  8. Health protection
  9. Legitimate interest
  10. Protection to credit.

Though you’ll note a number of similarities between the two, you’ll also see that bases such as protection of credit are exclusive to Brazil. This is particularly pertinent as the country prepares to reform its existing laws around credit scores.

Penalties for Violations

Much as with the timeframe for reporting breaches, Brazil also appears to be a little more lenient when it comes to issuing penalties for non-compliance. In the EU, fines can total up to 4% of global revenue up to 20 million Euros. In Brazil, fines can total up to 2% of revenue from Brazil, up to 50 Million Brazilian dollars.

Not that your business should ever find yourself in a situation that requires you to pay such a fine.

At Relentless Privacy & Compliance, we help you achieve frictionless compliance with LGPD, GDPR and other international laws thanks to our comprehensive global data privacy service. This includes a detailed global gap analysis, helping you identify areas where you can streamline your data protection efforts, saving you time and money in the process.

Find out more about our LGPD Service

LGPD Service

To order your gap analysis, contact us online today, or to discuss your privacy concerns, call us now on +44 (0) 121 582 0192.

 

How Does Thailand’s New Data Protection Bill Affect Your Business? Your Questions Answered

How Does Thailand’s New Data Protection Bill Affect Your Business? Your Questions Answered

The latest country to follow in the EU’s data protection footsteps, Thailand is gearing up for the arrival of its first bill to protect individuals’ personal data rights, but what does this mean for your business? Relentless’ global data privacy experts have the answers.

Thailand’s relationship with the concept of privacy has always been a curious one to say the least. For years, the idea that individuals have a right to privacy was a key part of the country’s national constitution, albeit one without any kind of law or regulation forcing businesses to uphold that right.

Sure, certain rules and codes of practice were in place for Thailand’s health sector and other industries dealing in particularly sensitive personal data, but even still, the country had nothing like GDPR, nor anything which may have in any way resembled even the most basic of all-encompassing data protection laws, such as the UK’s Data Protection Act.

At least, that was the case until now.

After a lengthy process of drafting, consulting the public and revising, Thailand is finally set to roll out their own Personal Data Protection Bill (PDPA). Much like the raft of other new data laws which have come along in the past two years, this one takes many of its cues directly from GDPR.

On the face of it, this is good news for many businesses as the similarities between the two mean that a number of the processes, policies and procedures they already have in place for GDPR can prove equally as sufficient for PDPB eliminating any duplication of efforts.

Even so, in much the same way that business owners were left scratching their heads in the run-up to GDPR coming into force last May, PDPB’s arrival has left many with some serious questions about what exactly Thailand’s new data protection law means for them.

That’s where we come in.

At Relentless Privacy & Compliance, we specialise in helping businesses around the world to achieve frictionless compliance with global data protection laws in a way that provides long-term added value. Today, we answer your burning questions about Thailand’s Personal Data Protection Bill and how it may affect your business.

Who does PDPB apply to?

Just as GDPR applies to all data processors and data controllers who deal with the data of data subjects within the European Union, PDPB applies to all processors and controllers who deal with Thai data subjects, regardless as to where those processors and controllers are actually based. In other words, if you’re a UK business but you provide goods and services to people in Thailand (no matter whether you charge for them or not), then you need to ensure that your business is PDPB-compliant.

That’s not all.

The new law also applies in any instance where the behaviour of Thai data subjects is monitored. So, even if you don’t provide services directly to data subjects, but you carry out business-to-businesses services such as tracking people’s internet activity for the purposes of targeted marketing or user testing, then PDPB applies.

I outsource my data processing to Thailand, how does this affect me?

According to the Personal Data Protection Committee (PDPC) which oversees the creation, implementation and enforcement of PDPB in Thailand, the new requirements are applicable to personal data that is collected, used, or disclosed by a Thailand-based data processor or controller, regardless as to where that data is collected, used or disclosed.

To put that in simpler terms, if you only collect the data of EU data subjects but you use a firm in Thailand to do the collecting for you, then, yes, PDPB applies.

What do I need to do to ensure frictionless compliance with PDPB?

The most pressing issue for any business affected by Thailand’s new data protection bill is to ensure that you have a lawful basis for collecting, processing, or disclosing data. Much as with GDPR and similar regulations, explicit consent is typically the one lawful basis that is talked about the most, and often for good reason. It’s certainly the most straight-forward and uncomplicated method of collecting and processing data legally. Gain the express consent of data subjects, and you leave no doubt as to the validity and legality of your processing activities.However, many businesses tend to overlook the fact that explicit consent isn’t the only option they have at their disposal. There are others which are every bit as valid and every bit as legal.

These include:

Contracting

Explicit consent is not required if the data processing activities are required to carry the terms of a contract your data subject has entered into with you, or to take certain steps requested of you by the data subject before entering into a contract.

Vital interest

Under vital interest, you do not need to gain explicit consent if processing is required to protect an individual’s life.

Public interest

This lawful basis can be used if processing is required to carry out a task that is in the public interest, as long as that interest has a clear basis in law.

Legitimate interest

If you can prove that processing is required for the legitimate interests of your business or a third party, then you can forgo explicit consent. However, itis worth noting that this can be overruled in cases where the protection of a persona’s data is deemed to be more important than your legitimate interest.

What else do I need to know about consent?

It’s also important to point out that PDPB lays out extra conditions for gaining the consent of minors. Your compliance consultant at Relentless can advise you as to what these are and how you can best implement them should it be necessary.

What rights to data subjects have under PDPB?

Again, PDPB isn’t too dissimilar in this regard from other new regulations which have come along in the last few years. Individuals have a right to request a copy of the data that you hold about them and, in certain circumstances, also have the right to object to their data being processed.

In both cases, businesses affected by the bill are obligated to meet these requests.

Does my business have any other obligations?

Yes.

In particular, you need t to ensure that sufficient physical and digital security measures are in place to prevent unauthorised or malicious access, use, or modification of any personal data you have. You’ll also need to be sure that, if you plan to transfer the personal data of Thai data subjects to businesses in other countries, that those countries have -and that those businesses are compliant with- sufficient data protection regulations such as GDPR, CCPA, or China’s National Standards on Information Security Technology.

What do I need to do in the case of a data breach?

Naturally, you’ll have done everything in your power to prevent a data breach. However, should the worst happen, your first and most pressing responsibility is to immediately inform the affected data subjects.If the data breach affects a certain number of data subjects, your next task will be to inform the PDPC.

What are the consequences of non-compliance?

Businesses who are found in violation of PDPR are liable to pay administrative, civil, and/or criminal penalties depending on the circumstances, though of course, your business never has to reach this stage.

As part of our comprehensive Global Data Privacy Service, Relentless Privacy & Compliance offer expert advice, guidance, and hands-on support to ensure that you’re not only fully compliant with PDPB and other international privacy regulations but that you achieve that compliance in a way that helps your business to grow.

Contact us online today to find out more about how we can help you, or to discuss your privacy concerns, call us now on +44 (0) 121 582 0192.

 

How the California Consumer Privacy Act Affects Your Business Everything You need to Know

How the California Consumer Privacy Act Affects Your Business Everything You need to Know

How the California Consumer Privacy Act Affects Your Business Everything You need to Know

Did you know that the new California privacy law could have an impact on your business, even if you’re not based in the Golden State? Discover what the CCPA means for you, and for the future of data protection regulations around the world.

SF Bridge The arrival of the General Data Protection Regulation back in May 2018 served as a wake-up call for the rest of the world. No longer could businesses afford to be lackadaisical about consumer privacy or how they manage their data. With widespread implications not only for organisations within the European Union but for those based internationally as well, GDPR prompted lawmakers across the globe to not only take note but take action. One of the first to do just that was the US state of California who, mere weeks after GDPR came into effect, signed into law their own updated data protection rules, known as the California Consumer Privacy Act (CCPA) of 2018. So far, so interesting, but what does any of this have to do with you? After all, your business isn’t based in California, it’s based in another US state entirely, or even in a completely different country.

Does that mean the California Consumer Privacy Act of 2018 doesn’t affect you?

Is it time to stop reading this article and go about your day?

Not exactly. Here’s the truth:

The Consumer Privacy Act Could Impact Your Business

In fact, according to the International Association of Privacy Professionals (IAPP), the legislation will apply to more than 500,000 companies in the United States. That’s not to mention the impact it’s likely to have internationally.

  • But what exactly is this impact?
  • How will the new Consumer Privacy Act affect your business?

At Relentless, we specialise in helping businesses manage their data protection and enjoy frictionless compliance with current legislation in a way that helps them to grow in today’s privacy-savvy culture.

Today, we’ll talk about why the new California legislation could impact your business wherever you are in the world, and offer our expert insights on what you might need to do to ensure long-term compliance.

However, before we get to that, let’s first answer the one question that’s most on your mind:

What is the California Consumer Protection Act 2018?

Map of california with CCPA definitionSigned into law on June 28th, 2018, the CCPA takes its cues directly from GDPR, giving Californians many of the same rights as those laid out in the EU-wide directive. Putting the new bill together, lawmakers wrote:

 

 

 

  • “California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information”.
  • “It is possible for businesses both to respect consumers’ privacy and provide a high-level transparency to their business practices.”
  • To ensure that businesses are both transparent and respectful when it comes to consumer privacy, the new act gives those consumers the right to request that a business discloses the following key details
  • “The categories and specific types of personally identifiable information that it has collected about them.
  • The types of sources it has used to collect that information.
  • The reasons why it has collected that information, whether that’s to use it for business purposes or sell it onto a third party.
  • The categories of third parties that the information will be shared with.

What else does the CCPA say?

Along with making it a requirement to meet those data requests at no cost to the individual, the new law gives businesses several other obligations These include:

Informing people about the categories of personally identifiable information being collected and the purposes that the information will be used before that data is collected or, at the very least, at the point of collection.

Provide the same levels of service and pricing to individuals who exercise their privacy rights.

Being sure not to sell on personal information if an individual has said no to this.

Does CCPA Apply to My Business?

Contrary to what some believe, the California Consumer Privacy Act doesn’t just apply to those businesses based within California. Rather, any business with customers in California can be affected if that business meets the following three criteria:

  • The business has annual gross revenues which total at least £25 million
  • For commercial purposes, the business either buys, receives, sells or shares the personal information of at least 50,000 consumers, households or devices.
  • Businesses who generate at least 50% of their annual revenues from selling the personal information of consumers.
  • This includes those businesses who are based in other US states, or even in other countries.

The immediate and long-term impact of CCPA

So, with all that being said, how exactly does CCPA affect your business? The most obvious answer is this:

If your business meets any of the above criteria, then you’ll need to be sure you’re fully prepared and fully equipped to deal with the deluge of data requests likely to come your way.  

Most experts predict that Californians are going to be quick off the mark when it comes to exercising their new privacy rights. Requests are likely to come in two forms: Those from citizens who want to know what types of data you hold on them. Those from citizens who want to exercise what is often known as “the right to be forgotten” and have the data you hold about them deleted.

So if you don’t yet have a system in place to respond to those requests, now is the time to start putting one in place. Before you start panicking, however, here’s the good news.

CCPA doesn’t come into effect until January 1st, 2020.

At time of writing, that gives affected businesses a little over a 8 months to get ready. But what about those businesses not immediately impacted by CCPA?  What happens if you don’t have customers in California?

Does that mean you can forget all about data protection and carry on as normal? Not quite.

Here’s the thing:

Map showing Georgia stateThe California Consumer Protection Act of 2018 is only beginning of a widespread shift in privacy culture. Yes, California may be the first US state to adopt a GDPR-like approach to consumer privacy, but they certainly won’t be the last. Georgia has already started working on new privacy laws, and many other US states are expected to follow suit.

In other words, by the first half of the next decade, we should well expect to see GDPR-style regulations become the norm across the United States as well as other non-US and non-EU countries.

So, even if you’re not immediately impacted by CCPA, you’ll still find it beneficial to make changes now and avoid getting caught out when new laws do start to affect you.

How GDPR Compliance Can Help You Prepare for CCPA

Of course, all this begs one very important question: What does your business have to do to get ready for the arrival of CCPA or other privacy regulations that could be implemented in the coming years?

In many cases, the changes you need to make to your systems, processes, or culture as a whole may be minimal, especially if you’ve already taken the necessary steps to ensure you’re fully compliant with the General Data protection Regulation. Remember, CCPA is directly influenced by GDPR just as most new privacy laws are expected to be in the future. So, if you’ve taken the necessary steps as outlined in our GDPR compliance assessment you may well find that you’re already well on your way  to CCPA compliance

If not, don’t worry: Help is at hand.

At Relentless Privacy & Compliance we work with businesses across the globe to help them enjoy frictionless compliance with international privacy laws.

From training and consultancy that empowers your employees with the skills and know-how they need to protect your customers’ private information to hands-on support with developing the kind of secure, effective data protection processes that enable your business to thrive in the digital economy, we offer bespoke services tailored to help you achieve your long-term goals.

See our comprehensive CCPA Service to see how we can help you prepare for and achieve CCPA compliance

Find Out More

Book your free, initial consultation online today, or call us now on +44 07732841440.

 

China’s Data Protection Law Explained

China’s Data Protection Law Explained

What Your Business Needs to Know

China’s National Standards on Information Security Technology – Personal Information Security Specification has drawn comparisons to GDPR, but how closely are the two really linked? Here, Relentless Privacy & Compliance outline the key differences and similarities between Chinese and EU privacy laws, and explain the impact that this comparison could have on your business.

In May 2018, new data protection law came into force which changed the way many businesses manage, collect, and store data. Before you roll your eyes and turn away, convinced that you’ve heard it all before, there’s something you should know:

The law we’re talking about here isn’t the General Data Protection Regulation (GDPR). You see, while the eyes of the world were on the European Union and the far-reaching impact its privacy laws were having on the world at large, China quietly ushered in its own National Standards on Information Security Technology – Personal Information Security Specification.

Better known simply as The Standard, this law actually came into force several weeks before GDPR on the 1rst may 2018 though by all accounts it was indeed modelled after its European counterpart.

Naturally then, experts have been quick to look for parallels between the two. Meanwhile, businesses with interests in both China and the EU have been eager to explore how similarities between the two laws present can help them avoid unnecessarily duplicating their efforts in order to comply with both.

For example, since both GDPR and The Standard require certain organisations to appoint a designated data protection official, it simply makes sense for businesses to look at the duties of a Data Protection Officer (DPO) as required by GDPR and the duties required by a DPO as outlined by The Standard and combine them into one role.

But what other ways can international businesses reduce the operational impact of complying with both EU and Chinese data protection laws?  More importantly, what are the major differences between the two that your organisation needs to be mindful of?

That’s what we’re going took at today.

At Relentless Privacy and Compliance, we help businesses across the globe to minimise the costs and complications involved in meeting the requirements of international privacy law. Today, we draw on our experience in supporting organisations within both China and the EU to explain everything you need to know to enjoy frictionless compliance with The Standard and GDPR.

Defining Data

First and foremost, while both GDPR and The Standard concern themselves with personal data, they ultimately have different ideas as to what that actually is. The Standard uses the term “personal information.” This term covers a broader range of data types and categories of data than its GDPR equivalent, “personal data.” For example, The Standard’s definition of personal information includes all of the things covered by “personal data” but also includes things like website tracking records, IP addresses and serial codes on hardware devices. Then, of course, there’s the concept of “sensitive personal information.”

Under GDPR, this type of information is typically known as “special category data” and includes types of data which go beyond the usual Personally Identifiable Information (PII). According to the Information Commissioner’s Office which oversees GDPR in the UK, special category data can include information such as:

 

  • Biometrics
  • Ethnicity
  • Genetics
  • Health conditions
  • Political affiliations
  • Race
  • Religion
  • Sexual orientation
  • Trade union membership.

However, The Standard defines its equivalent, sensitive personal information, as being anything which could put a person in physical or mental harm should it be leaked out, or anything which, should it be revealed, could result in a person being discriminated against. This includes data such as:

  • Any information about children under 14 years-old
  • Bank details
  • Information about properties the person owns
  • National ID card numbers
  • Usernames and passwords
Data Collection and Consent

Under The Standard, organisations who wish to collect, process and store this sensitive personal information must gain explicit consent from users in order to do so. They must also inform users of both the core business purposes for collecting this information, as well as any ancillary purposes. Explicit consent must be given for each of these ancillary purposes. For example, a user may consent to handing over sensitive information in order to access a particular service or product from a business. If that company then also wants to process that person’s data for marketing, to sell them additional services, or even to use that person’s IP address to help compile a report about web traffic, then the user must give consent three additional times, one for each of these additional purposes. Should the user decide to give this consent for the ancillary purposes, the business can refuse to provide ancillary purposes but can’t refuse to carry out the core business purpose that consent was given for.

Lawful basis

 

Those already familiar with GDPR will, of course, have heard the term “explicit consent” before. It is one of six lawful bases for collecting personally identifiable information as outlined in GDPR Article Six. The other five bases include:

 

 

  • Contract:  Processing data is necessary to fulfil contractual obligations.
  • Legal obligation:  Processing is necessary in order to comply with the law.
  • Vital interests: Processing is necessary to protect someone’s life.
  • Public task: Processing is necessary in order to perform a task that is in the public interest or to carry out an official function, providing that task or function has a clear basis in law.
  • Legitimate interest Processing is required to carry out the legitimate interests of your organisation or a third-party organisation.

This means that if any organisation doesn’t use explicit consent to process someone’s data, it can use one of the other five legal bases in order to justify that processing. The Standard, however, has its own exceptions to the consent rule. Some of these are similar to GDPR Article 6 while others are different. For example, under The Standard, an organisation doesn’t need to gain consent if it can prove that processing data is necessary to perform a contract. This is the same as the ‘Contract’ legal basis under Article 6. Meanwhile, The Standard also lists other exceptions to the consent rule such as the necessity for troubleshooting products or services or even necessity for news reporting, neither of which are listed under Article 6. The Standard also leaves out some Article 6 legal basis such as legitimate interests.

Privacy Notices

Both GDPR and The Standard make use of privacy notices which outline exactly what an organisation intends to do with an individual’s data, as well as reminding users of their data rights. For example, notices must disclose:

  • Why data is being collected
  • What legal grounds the organisation has for collecting is
  • Where the data is being sent and who will be using it.
  • The Standard also requires organisations to disclose what security measures are in place and what risks there may be after providing information.

One significant difference between the two is that GDPR allows organisations to omit certain details from their privacy notices if the user has access to those details from other sources, such as website pop-ups or simply being in regular contact with the organisation. The Standard allows for no such omissions and insists that privacy notices must be delivered on a one-to-one basis unless costs become too high or significant difficulties emerge, in which case a public announcement is allowed.

Data Subject Rights

 

The Standard outlines data rights for individuals which are very similar to those outlined by GDPR. However, once again, there are some notable differences. These include: Data subject requests With regards to users asking for copies of their data or to have their data deleted, The Standard decrees that such data subject requests need to be complied within less than 30 days. Under certain circumstances, GDPR usually allows extensions for request compliance whereas The Standard does not.

 

 

  • Right to be forgotten
  • The Standard allows individuals more power to exercise their ‘Right to Be Forgotten.’ It does this by omitting some of the exceptions listed in GDPR which allow businesses the option to refuse a request from              an individual to delete data held about them.

Other Key Differences Between GDPR and The Standard

Data Protection Impact Assessments (DPIAA)

Both GDPR and The Standard require organisations to carry out DPIAAs, however, The Standard is much more strict on how frequently these must be done. It states that a Data Protection Impact Assessment must be repeated at least once a year, as well as at the following key times:

  • When new legislation comes into effect
  • When business models, information systems or operational environments change significantly
  • When a major personal information security incident occurs.

GDPR, on the other hand, is far less specific about when DPIAAs are carried out.

Data Sharing
GDPR does not expressly require consent specifically for data sharing whereas The Standard does unless the information in question can be de-identified. That said, both regulations recommend carrying out risk assessments prior to sharing as a means of best practice.
What Does This Mean For Your Business?

If you’ve read through all the similarities and differences listed above, one thing should be clear: While GDPR and The Standard have a lot in common, there are enough differences between them to mean that, if your business is operating in both China and the EU, then you’ll have to pay attention to both.This isn’t just a case of complying with GDPR and using that compliance model as-is to comply with The Standard In other words, a one-size-fits-all approach to privacy and data protection just isn’t going to cut it. Take the aforementioned privacy notices for example. If you already have a privacy notice for GDPR, this in itself may not be enough to ensure compliance with China’s data protection standard. The latter requires extra details which you will need to incorporate. However, this doesn’t necessarily mean that you have to double your efforts and have two separate policies. As with all the aspects of privacy laws, elements of both The Standard and GDPR can be merged together to create a fully comprehensive notice which serves both.

As we mentioned earlier in this article, the role of Data Protection Officers does vary somewhat between The Standard and GDPR. Again, this may not mean that your existing GDPR DPO will cover you for The Standard, but it does mean that the job specification of your current DPO can be modified to ensure that it covers you for both. Likewise, you’ll need to consider how your existing consent policies need to be added to or otherwise revised to ensure frictionless compliance with both regulations. If all of this sounds like a headache, you’ll be relieved to know that help is at hand.

At Relentless Privacy & Compliance, we specialise in working with businesses like yours to help you identify the systems, processes and policies you can use to comply with all international privacy regulations in a way that adds long-term value to your organisation.

From serving as your outsourced DPO to providing ongoing consultancy and training to help you minimise the cost of compliance, our experienced privacy experts are only ever a phone call away. To find out more about how we can help you, call us now on +44 0121 5820192 or contact us online today. Or