Click cover to download

(Subscriber-only password access)

Not a subscriber?

Click here to join the FREE mailing list and receive password access

Data protection and privacy has never been higher on the corporate agenda. It is imperative that companies – of all sizes, in all industries and across virtually every jurisdiction – prioritise data management if they hope to fully exploit the opportunities of the digital age while remaining compliant with the raft of new legislation coming into force.

UNITED STATES

Jessica N. Cohen

Skadden, Arps, Slate, Meagher & Flom LLP

“Large mature companies based in the US are generally attuned to their data privacy and protection duties. This is particularly true with respect to multinational companies, many of which used the May 2018 compliance deadline for the European Union’s (EU’s) General Data Protection Regulation (GDPR) as an opportunity to evaluate their overall data privacy compliance programmes. However, challenges still remain for smaller and less mature companies which may not have the resources or infrastructure to adequately implement comprehensive compliance programmes.”

UNITED KINGDOM

Steven James

Brown Rudnick

“The introduction of the European Union’s (EU’s) General Data Protection Regulation (GDPR) in May 2018, and the Data Protection Act 2018, which was implemented in the UK shortly afterward, pursuant to the GDPR, appeared to raise the level of awareness of data privacy compliance in the UK to unprecedented levels. Organisations which had perhaps not engaged with local data privacy requirements with the required rigour were suddenly not just papering over the cracks by drafting a privacy policy, but using the exercise to undertake a more systematic review of their data privacy compliance.”

GERMANY

Dr Jochen Lehmann

GÖRG

“On the whole, companies do need to do more. There are, of course, those companies that fully understand the opportunities presented by the digital age, but there are also risks and so they act accordingly. But recent surveys have shown that a lot of companies, even in areas such as healthcare, are neither prepared to adapt their business activities nor, in particular, their security provisions. This is all the more surprising as it is not only essential for any company to be compliant – given the heavy fines available to the regulators – but also rather short-sighted because customers, consumers in particular, often show less patience with companies that are careless with personal data.”

ITALY

Francesco De Biasi

Cleary Gottlieb Steen & Hamilton LLP

“We have noticed a significant increase in company awareness of privacy and data protection obligations, not only in light of the high level of fines that the European General Data Protection Regulation (GDPR) currently imposes on them, but also in light of the potential reputational risks that non-compliance with privacy and data protection laws may entail. We have noticed that, as a consequence, more companies have adopted a preventive and group-level approach to privacy and data protection matters in general, and, in particular, to comply with the GDPR.”

SERBIA

Ljiljana Urzikic Stankovic

Stankovic & Partners

“In the last few years, companies in Serbia have become more aware and have a better understanding of the concept of privacy and personal data protection. Crucially, the new Law on Data Protection has recently been adopted. Prior to that, the previous law governing data protection was introduced in 2008, and for a long time, data privacy and protection were relatively new and unknown concepts for many Serbian companies. The most important changes in this field have been felt as a result of the enforcement of the European Union’s (EU’s) General Data Protection Regulation (GDPR).”

ROMANIA

Marta Popa

Voicu & Filipescu

“A first step toward General Data Protection Regulation (GDPR) compliance is a proper analysis of the internal business operations of a company, drawing up adequate and real data flows, followed by a proper GDPR gap analysis. Many Romanian companies, especially major but also small companies whose activity is data-sensitive, have made progress in complying with the GDPR which is, in part, due to Romania having highly skilled IT and security specialists who are involved in the process. There is still room for improvement until a significant number of local companies understand how the GDPR is impacting their business, which is a matter of management being aware of and educated about the impact and risks of digitalisation.”

RUSSIAN FEDERATION

Sergey Medvedev

Gorodissky & Partners

“Data privacy and protection has become one of the most discussed topics in the information technology (IT) sector in recent years. In the digital age, amid evolving data privacy laws, companies, including those operating in Russia, as well as foreign investors, should carefully assess their data protection strategies and achieve data privacy compliance to mitigate the associated risks. However, not all of them are fully aware of their rights and obligations in this particular area, especially their confidentiality duties, required security measures, data transfer rules and the ‘localisation’ requirement, when processing personal data online or offline.”

PAKISTAN

Saifullah Khan

S.U.Khan Associates

“Pakistan is in the process of introducing data protection legislation similar to the EU’s General Data Protection Regulation (GDPR). GDPR, due to its territorial scope, is applicable to web shops established in Pakistan. Local and global incumbent obligations on companies in Pakistan certainly require them to do more to fully understand their data privacy and protection duties. In particular, local legislation, when enforced, would require companies to take steps to become fully compliant with legal obligations. The proposed legislation aims to put extensive obligations upon companies – in their capacity as data controller or data processor – so it is the right time for companies to study best international practice in order to introduce new processes.”

INDIA

Anirudh Rastogi

Ikigai Law

“Companies’ approaches to data privacy in India, like elsewhere in the world, are not homogenous. Some have very sophisticated data protection practices, some do not. More importantly, however, Indian data privacy laws are still evolving, and consequently, so are companies’ data protection obligations. India recently released its draft Personal Data Protection Bill in July 2018. This bill takes the country one step closer to having a comprehensive data protection regime. Once enacted, it will replace the data protection safeguards under the Information Technology Act, 2000 (IT Act), the current law that governs the collection and use of personal data by companies in the country.”

CHINA & HONG KONG

Jennifer Ho

PwC Hong Kong

“The increased pace of digital innovation and the evolving technology landscape, including innovations such as the Internet of Things (IoT), cloud computing, intelligent process automation and artificial intelligence (AI), has created exciting new opportunities, new streams of investment and new sources of revenues. Digital innovation has also led to an elevated risk of data privacy and protection issues. Data breaches have grown exponentially, thus it is more important than ever for companies to safeguard their data and assets. Some companies may not even know that their current business practices are in breach of the relevant data privacy and protection regulations.”

JAPAN

Takashi Nakazaki

Anderson Mori & Tomotsune

“More Japanese companies are receiving personal data from foreign countries while providing online services to foreign consumers and, as such, they are becoming increasingly subject to the data privacy regulations of the consumers’ home countries. Accordingly, companies have to comply with cross-border data transfer regulations and be aware of the possible extraterritorial applicability of other regulations. Also, many Japanese companies utilise third-party services, such as cloud computing and data analysis. These services are sometimes provided by foreign entities and, as such, Japanese companies must be aware of the potential risks arising from such a data transfer.”

SINGAPORE

Jennifer Chih

PK Wong & Associates LLC

“Companies in Singapore are increasingly aware of their duties in relation to data privacy and protection. However, there remains much room for improvement. While many businesses have put in place data protection policies and appointed data protection officers, compliance is often formulaic. Many businesses still fail to understand that data protection requires a continuing effort and that data protection measures need to be embedded into each business’ practices and processes. In addition, with the blurring of geographical lines, businesses sometimes fail to grasp that the data privacy and protection laws of other jurisdictions may also apply to their operations.”

ISRAEL

Haim Ravia

Pearl Cohen Zedek Latzer Baratz

“Media and industry coverage of two pieces of legislation that took effect in May 2018 have raised awareness of data protection issues among Israeli companies. The first legislation is the Protection of Privacy Regulations (Data Security), which sets out detailed and prescriptive information security requirements for all companies processing personal data. A few months after the regulations took effect, the Israeli Protection of Privacy Authority, the Israeli privacy regulator, launched a broad, cross-sector inspection campaign at organisations processing personal data in the context of consumer membership clubs, hospitality, medical institutions and clinics, higher education institutions, not-for-profit organisations and others.”

CONTRIBUTORS

Anderson Mori & Tomotsune

Brown Rudnick

Cleary Gottlieb Steen & Hamilton LLP

GÖRG

Gorodissky & Partners

Ikigai Law

Pearl Cohen Zedek Latzer Baratz

PK Wong & Associates LLC

PwC Hong Kong

S.U.Khan Associates

Skadden, Arps, Slate, Meagher & Flom LLP

Stankovic & Partners

Voicu & Filipescu