Several things need to be taken into consideration when working with international data. At NearZero, our chief concerns are the privacy of said data, where we host the data, and whether there are any special requests from the data holder.
Often, we need to deal with EU data in our line of work. When dealing with this type of data, additional considerations are related to the General Data Protection Regulation (GDPR), which took effect in May 2018. The regulation gives data subjects the right to be forgotten, allowing individuals to request removing data from systems and databases. It is important to note that this regulation is required whenever personal data of individuals located in the European Union and European Economic Areas is processed. It is not hard to see how this presents additional challenges for collecting and holding data.
Violation of the terms of the GDPR leads to fines of up to 4% of annual global revenue turnover. This penalty means the GDPR should be taken seriously. There are several essential considerations we take to ensure we properly work with GDPR data is; we recommend considering these things if you are dealing with European data:
- First and foremost, we ensure that there is at the very least a legal basis to process any individual data (this is done in connection with our legal teams. The projects get to us have often been a legal basis established. It would be essential to ensure a legal basis at your establishment before dealing with any European data). For further information on what is considered lawful processing, see article 6 of the GDPR: https://gdpr-info.eu/art-6-gdpr/ If possible, obtain consent from custodians before processing their data (If the custodians agree to the processing of their data, this can be interpreted as a valid legal basis. Ensure this consent is explicit)
- Work with as little personal data as possible or required (this ensures that you are not overreaching and dealing with more personal data than is needed to complete your tasks).
- To avoid any issues, one important thing is ensuring that EU data is hosted and remains in the European Union. If this data must leave the EU, several additional checks and balances must be taken. These considerations are beyond the scope of this blog. However, when dealing with data in the cloud, there are additional questions as to exactly where the data resides.
There are many other vital factors of the GDPR. A crucial relevant part of the GDPR is that it is a regulation and not a simple directive; this gives it a higher level of force and applicability. In the wake of the GDPR, many have complained about its effect on a corporation’s ability to gather information, especially in sensitive and confidential matters. However, the GDPR is here to stay, and a better approach is to find ways to work within this framework. This means it is vital to keep these considerations in mind because these regulations are here to stay. Since its adoption in 2018, there have been copycat regulations throughout other nations worldwide. Places such as South America (Argentina, Brazil, Chile), Asia (Japan, Turkey) and Africa (Kenya) have adopted similar laws.
Official GDPR website: https://gdpr-info.eu/
LegalTEch News Arcticle: The GDPR: Current Considerations for Corporate Legal Counsel and Discovery teams (May 15, 2017)