Data Protection in Europe:

Understand what laws apply.

Data protection can be a minefield due to the vast number of regulations that apply and it is important to understand the context and situations of where you are using personal data, for example:

You need to consider what the laws of your country are. For example, if you are based in Germany, you will need to comply with the German Federal Data Protection Act (Bundesdatenschutzgesetz) which puts restrictions on the data you can send to other non-EU countries. Whereas if you are based in Poland then you need to comply with the Personal Data Protection Act, which includes requirements to perform risk assessments for some data processes.

You will need to comply with EU regulations, which apply to all member countries. For example, the General Data Protection Regulation (GDPR) which requires you to follow 7 principles when handling personal data and respect a number of rights. Many EU member countries’ own data protection laws follow the requirements and restrictions laid out in GDPR.

You should consider what industry you are in as there may be additional country and EU laws and regulations that apply. For example, if you take card payments then you may need to comply with PCI DSS, which requires you to manage your networks to isolate and separate some types of traffic.

You will need to consider who the people you deal with are, as other legislation and regulations may apply. For example, if you deal with any Japanese companies then you will be expected to comply with Japan’s Act on the Protection of Personal Information (APPI).

….To be continued in Part 2

If you want to speak to one of our experts about any of the content in this article, you can book a free 30 minute no commitment consultation here.