It would be difficult to find a part of the world where some form of regulations does not exist whose purpose is to protect the private information or details of individuals. Having proper procedures in place to manage such data to mitigate the risks involved in handling it is essential particularly given the fact that in numerous countries failure to comply with Data Protection (Privacy) regulations is a criminal and not a civil offence. In addition, the penalties can be stiff.
Countries enacting legislation who previously had no legislation in place can only increase the need to both understand the regulations and comply with them. The regulations have a far reaching effect impacting on how data is collected, how it is stored and safeguarded. This in turn affects apparently routine activities such as running payroll, managing personal insurance and pension schemes and sharing data between members of the same group.
Invariably, countries that have introduced data protection regulations have a regulator responsible to implement and monitor adherence to the regulations. Currently, each EU country has its own regulator. In the future there may be a single national data protection authority with offices in each EU country.
Responsibility to report serious breaches: Currently this is not a requirement in most countries but with the introduction of GDPR in the EU which became effective on 25 May 2018, this has become a requirement in the EU. The timescale for reporting is also very short i.e. within 72 hours of the data controller becoming aware of the breach. It is only possible to meet these requirements by having a system in place to monitor adherence to those procedures.
Requirement to register with Data Protection Authority: Many countries have a requirement for any business which will have individuals' personal data to first register with the Authority and provide certain information about itself and the persons within the business who will be responsible for Data Protection.
Consent to collect and process data: Although not all countries currently require this, it is good practice to have each individual's explicit consent in writing to process their data rather than relying on assumed consent. In the EU, this requirement is explicit under the GDPR regulations.
Currently these vary by country. Penalties vary from a financial penalty to a requirement to cancel the entire database. In numerous countries breaches of Data Protection laws can be a criminal offence in which case penalties can involve prison sentences. In the EU the penalty for non-compliance is either 2% or 4% of group turnover or €20,000,000 whichever is the greater. Businesses are, therefore, strongly advised to be compliant with the GDPR regulations.
Examples of countries where Data Protection breaches can be a criminal offence involving a prison sentence are: Argentina, Denmark, Finland, France, Germany, Hong Kong, India, Italy, Russia, Sweden, and UK.
High levels of potential fines (in countries other than EU countries) include Australia (up to A$1.7 m), Hong Kong (up to HK$1 m), India (up to $850,000), and Singapore (up to S$1 m).
The above merely lists examples and is not an exhaustive list of countries with large financial penalties or prison sentences.
These are general guidelines, for more information on your specific country or situation, please connect with us.