Big businesses risk falling foul of international data protection laws as governments around the world take a tougher approach to privacy.
Countries including Korea, Japan and China are introducing tough new privacy laws which frequently contradict the approach taken by European companies to data protection, a leading law firm has warned.
Multinational companies have already been fined hundreds of thousands of dollars after unwittingly breaching data protection laws in Japan and Korea, according to Karin Retzer, partner at law firm Morrison and Foerster (MoFo).
“Companies tend to take a fairly UK or EU-centric view. They assume that if they comply with their own local laws they are fine. That is no longer correct,” she said in an interview with Computer Weekly.
The twists and turns of data protection law
European companies are obliged to destroy log files when they are no longer required. In China, companies are legally obliged to keep the log files indefinitely.
In Europe, businesses are not expected to obtain consent from employees before adding their details to a staff directory. In Korea it is compulsory.
In Korea, companies have to seek explicit permission from their customers for every action they want to perform on personal data. This includes storing data, and transferring it to a hosting company or internally within the same organisation.
In many cases, data protection laws outside Europe contradict EU data protection regulations, making compliance across multiple jurisdictions difficult.
Retzer advised multinationals to create a single data protection policy that will cover the basic data protection requirements of each country they operate in.
“You need to look for the common denominator. Multinational organisations don’t have the resources, and it is not wise from a customer relations and employee relations point of view, to have different procedures in different countries,” she said.
However companies cannot assume that complying with basic data protection standards will be enough to protect them from regulatory action if there is a complaint.
“In Europe, if you have the main elements in place and are prepared to address concerns raised by individuals and regulators, that’s fine. But in some Asian countries, particularly Korea, that is not necessarily the case," she said.
Companies should take a risk-based approach, by putting in more safeguards in countries where they have more staff, or regulators are more aggressive, advised Retzer.
How to secure your data
- Firewalls, anti-virus and anti-spyware protection
- Periodic changing of (non-default) IDs and passwords
- Access controls (important when someone leaves the company)
- Limit access to that which is necessary to perform duties
- Do not e-mail sensitive or special personal information
- Do not access more than that which is needed
- Create and use secure documents
- Use passwords
“It’s a good idea to ensure you have access protection, and encryption of data, at least in transit and on storage services. And you have to be careful how you select third parties which share your information,” she said.
In Europe, businesses can simplify data protection governance by using data protection laws from one EU state across Europe.
The European Union is developing EU adequacy statements that will make it easier for companies to transfer data overseas.
However, their introduction is likely to be several years away.
Resources from MoFo and Computer Weekly