Multinational Organisations Part 1:
Data Protection in the International Market
When your organisation operates across a number of countries, it is important to understand and follow the appropriate data protection laws. Good data protection compliance can build trust with customers, help avoid expensive fines and minimise costly damage to your reputation whereas severe infractions can see your organisation banned from doing certain activities, such as marketing or processing payments.
In terms of requirements and restrictions, Europe’s General Data Protection Regulation (GDPR) is one of the strictest. The key points of GDPR that will affect organisations operating internationally are:
- Organisations based outside the EU will need to designate a representative within an EU country.
- Transfer of data to countries outside the EU is prohibited unless certain conditions are met.
- People have the right to know and access the data you hold on them.
- People have the right to have their data updated, deleted and moved.
- Organisations must take appropriate technical and organisational measures to protect the data that they hold.
- Any suppliers that a company uses that has access to personal data must be governed by legally binding agreements on how they should process and protect that data.
One key thing to bear in mind is that these laws apply from the data subject’s perspective, so in the case of the GDPR even through you might not be based in the EU, if you handle the data of any EU citizens then the GDPR will still apply. It also means that you cannot bypass regulations by transferring the data to another less regulated country.
Many data protection laws also put restrictions on transferring data internationally, which can make operations in an international organisation more difficult. Some international organisations may be required to take certain measures, such as registering with recognised data protection schemes e.g. the EU-US Privacy Shield, implementing binding corporate rules that have been approved by the appropriate authorities, or restricting access to data from certain locations.
Due to the large size of many international organisations, many are required to keep records of their processing activities that involve personal data. These records need to include the reasons and legal basis of processing, as well retention periods and the categories of data involved. In addition to this data processes will likely require special risk assessments, that focus on the threats to data protection, to be carried out, documented and recorded.
….To be continued in Part 2
If you want to speak to one of our experts about any of the content in this article, you can book a free 30 minute no commitment consultation here.