09 May Data Protection: Why you must comply and How to do it while running a Transnational Business – A focus on Colombia
Since the European Union’s General Data Protection Regulation (GDPR) is coming into force, an incredibly large number of companies are trying to keep up with Compliance before May 25, the deadline provided in that law. Consequently, surveys show that 99% of the companies are actively involved in the process to become GDPR compliant, and even Apple has announced that it will introduce a refresh of its privacy controls for its devices and iCloud services this month, before the GDPR compliance starts being mandatory.
The reason why companies have faced difficulties to achieve full GDPR compliance, is related to the persistent neglection regarding overall data protection. This is supported by the fact that more than 66% of European Webpages are not currently adjusted to the GDPR dispositions, and barely any of them provides clear information as to where the data is stored. That’s just one of the many examples that show the lack of awareness regarding data protection, even when it has been included in most legal systems for several years.
However, this situation is currently changing, and it is mostly thanks to the high penalties and administrative fines that have been established for the breach of the new data protection regimen. In this sense, GDPR allows a country’s administration to set fines which could be as high as €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. These fines can be imposed as a result of infringement of the basic principles for data processing, including conditions for consent, the rights of the data subject, the rules for transfer of personal data to a recipient in a third country or an international organization or any non-compliance with an order by a supervisory authority.
It should also be taken into consideration that another negative consequence of noncompliance is the several damages the company’s reputation could suffer, as nowadays people are taking data protection as one of the most important and serious concerns. So, when they find out a company is not fulfilling data protection requirements and their data is at risk, they will surely vilify that company stop every bound or relationship it, as it has happened repeatedly with former users of platforms like Facebook, WhatsApp and iCloud.
Now, companies developing activities in more than one country can find themselves at a particularly high risk of breaching data protection laws, as local regulations get more and more protective towards the data owner. For instance, GDPR doesn’t apply exclusively to European companies, but to any organization in the world that works with data that belongs to European citizens.
It is frequently ignored that the applicable data protection law is not just the one where the company operates, but the data protection law that is applicable to the foreign costumer or data user. This situation responds to the extraterritoriality of data protection regimens, as they seek to protect the data user no matter where and who treats their data.
In Colombia’s case, Colombian Superintendence of Industry and Commerce has claimed jurisdiction to enforce the local data protection law to all national or international companies that treat Colombian citizens’ data, and to set fines and penalties for those who breach them. That means, a company that simultaneously treats data belonging to a Colombian citizen and a European citizen, must observe both data protection regimens or otherwise could face severe consequences stated for both legislations. Also, if the company is stablished in a third country, they will have to observe its local law too.
Fortunately, by applying one serious data protection policy that observes international and local standards a company could severely reduce the risk of breaching data protection laws. That means, understanding data protection goes much deeper that simply registering data bases, and will require to implicate every department inside the company and should consider implementing procedures at the very operative level to control things like where an operator writes down the personal information provided by the people who call or pass by any of offices or operation centers.
Therefore, a process of internal reorganization is mandatory and should include changes like implementing real tools for the users to control how their data is stored and treated, and to make sure people understand what is happening with their data after they give consent, find out where all personal data is located and stored, and map that data to the business processes that created it, as most times companies wouldn’t be able to explain how they got certain data.
To sum up, there is still a lot of neglection and misinformation regarding data protection duties, what it means to enforce a compliance policy, and the severe consequences of non-compliance. Also, is commonly overlooked that probably you must fulfill different data protection laws when you store data that belongs to citizens from different countries. So as we have stated, you can’t forget that according to data protection law (no matter if it’s European GDPR, or any other local law), you could face situations where your supervisory authority comes up and ask you to show your data treatment records, or several request for access of users whose awareness of data protection has highly raised, or in the worst case scenario you could be the subject of a class action suit like the one Yahoo faced. These are all possible situations, and you must be ready for them.