Guest Author: Jordan L. Fischer, Esq., Co-Founder & Managing Partner of XPAN Law Group, LLC

Technology is changing rapidly, correlating in an increasing amount of data collected every second.  These technologies cross-borders and allow businesses to operate on a global scale, at a rate never before seen.  However, the corresponding legal infrastructures operate with borders -- hard borders -- that make the exchange of data, both internally and externally, complicated and challenging. 

In the last two years, new data protection regulations have gone into effect in a number of different regions:  Japan, China, Australia, and most recently (and with the largest “bang”), the European Union.  Each of these regulations imposed  nuanced requirements on companies, often asserting data localization requirements, implementing the principle of transparency and including consent initiatives when these organizations collect and process data. Most importantly, companies need to proactively be aware of the implications of the technology they use and the data they collect which depending on the regions in which they operate.  

This changing legal landscape is no more apparent than in the European Union (EU), with the General Data Protection Regulation (GDPR).  The GDPR imposes a number of proactive privacy measures on entities, both within the EU and outside of the EU, that are poised to drastically change the way businesses maintain and exchange data from within the EU.  At its core, the GDPR asserts data privacy and security principles on companies.  The GDPR does not discriminate depending on the industry or the size of the organization.  It universally and equally requires  data minimization, data localization, transparency, and accountability by all organizations.  The GDPR empowers data subjects to take control of the data collected by companies about them, and to require that those companies to account for all processing of that data, and all third-parties who have access to that data.

The “GDPR model” is becoming the de facto standard.  Canadian data protection laws are changing this fall, bringing them more in line with the the GDPR.  Even individual states are moving more towards providing similar data protections as the GDPR:  California is in the midst of a debate of how much control to give data subjects regarding their data.  What started as a potential ballot to be included in the fall elections has now become a bill in the California state legislature and appears to provide similar data protections as many of these international regulations.     

These varying principles of data privacy and cybersecurity converge when organizations exchange, transfer and process sensitive information across borders and, as such, implicate a number of different regulations. Take for example the growing prevalence of cloud storage, with companies opting to store data and systems off premise, in a data center located in a specific location, or in multiple data centers. Either option directly correlates with a legal obligation and potential ramifications for regulatory compliance and contractual agreements.

When addressing cross-border data management, companies should take key steps in order to better understand any legal obligations or liabilities, before an issue arises.  The first step is knowledge:  What data is collected? What is done with that data? Where is that data stored? These regulations increase the power of the data subject, which dovetails into a burden on companies to provide the necessary transparency, both prior to and after the collection of data.  In order to provide accurate information to meet these obligations companies need to know, before collecting the data, what it intends to do with that data.      

Second, a company needs to know who has access to that data.  This is both internal access -- a company’s own employees-- and external access -- third-parties or partners.  Understanding the “who” is involved in a “data transaction” is key to ensuring security along that entire chain and providing the necessary transparency to the data subject.  The use of processors and sub-processors is common -- but, companies need to ensure that each party involved understands its obligations and adequately protects and secures the data.

Third, a company needs to understand the data lifecycle: how long is the data needed? What happens when we no longer need the data? Data storage is expensive, especially if additional security measures are needed such as encryption or redundancy.  Often, companies are not even aware of all of the “old” data that it maintains -- old data that is no longer useful but remains a liability in the event of a breach.  Creating “house cleaning” policies (i.e. data destruction and retention policies) is key to decreasing costs and potential legal ramifications.

Ultimately, companies need to understand this convergence of domestic and international data obligations and its effect on creating efficient and secure data management practices in order to meet the needs of the business.  Technology and data is like a spiderweb within an organization -- it impacts a number of different business units, and requires a holistic approach.  Taking key steps early-on in the data collection process can drastically minimize long term costs and liabilities. 

Learn more about this topic in my session at the Consumer Identity World September 19-21, 2018 in Seattle.

* * * * *
Nothing contained in this blog post should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.

See also