Privacy paradigms all over the world are quickly evolving, starting with the European Union’s adoption of the General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law, India’s pending Personal Data Protection Bill, and California’s just-passed Consumer Privacy Act. While the specifics vary, the international trend in adopting a comprehensive privacy law to govern all sectors, industries and emerging technologies remains. What’s more, the international paradigm is shifting away from a US-backed view of personal data as a commodity, and towards the EU’s view of personal data as an extension of self, with a range of human rights implications for data subjects. From the right to notice, access and correction to the right to portability and even erasure, companies subject to international privacy laws must have processes in place to identify personally identifiable information and respond expeditiously to the requests of individuals.
Depending on past data practices, businesses may also be faced with legacy archives of personal data now subject to international regulation. Inventorying your company’s data archives, classifying that data based on its content and sensitivity, and processing or destroying it appropriately are all necessary steps that businesses will need to take in the near term. Businesses should also consider whether de-identification and anonymization of personally identifiable information provides an avenue to avoid the strictures of some of these international privacy regimes.
To successfully operate in a multi-jurisdictional world businesses must appreciate the evolving privacy paradigms currently in play and adapt to them within the requisite time frames. With penalties nearing 4% of annual worldwide revenues for the GDPR, compliance is key. Octillo attorneys know the difference between being in compliance with privacy laws, and being able to demonstrate that compliance to the satisfaction of a national or international regulator. Call experienced counsel on whether and how your company can comply with the GDPR or national and international privacy laws.
DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.