Carbon Accounting Management Platform Benchmark…
What are the impacts and how to prepare for it.
Companies are investing heavily in Digital technologies and Big Data. The volume of personal information collected has been increasing significantly in the last decades and will continue in the upcoming years.
The use of digital technologies increases risk and raises issues, such as consumer rights violation. Consequently, regulations are emerging globally, in order to reinforce the data privacy frameworks and to give more rights to consumers.
Considering those future requirements will be a key issue for each company. But Data Privacy is more than compliance and can be seen as an opportunity. Investing in Data Privacy is a strategy rather than a cost.
General Data Protection Regulation (GDPR) was approved by the EU Parliament on April 2016 and enforced for all EU countries on May 2018
Data deletion principle
Data minimization principle
Right to Opt-in
Clauses in third party contracts
BCR (Binding Corporate Rules) for intra group transfers
Deadline to notify to the regulator in case of a data breach
Strict guidelines to establish a data privacy governance
Risk Assessment on high risk processes – PIA (Privacy Impact Assessment)
Control plan on data privacy risk
Annual data privacy report
Register of Processing to document personal information and processes
The US has several sector-specific and medium-specific national privacy or data security laws. The California Consumer Privacy Act (CCPA) is a state statute that provides their residents an enhanced privacy rights and consumer protection.
Clear framework and dedicated data privacy authority
Individuals rights including right to know, right to delete, right to opt-out and right to non-discrimination
Data disclosure requirements
In addition, the US Federal Trade Commission (FTC) has jurisdiction over a wide range of commercial entities under its authority to prevent and protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.
Introduced in 1 June 2017 by the Standing Committee of the National People's Congress (NPC), it is the first set of comprehensive legislation governing cyber security and data privacy in China.
Onshore data storage requirements
Significant regulation for transferring data offshore
Individual rights including right to access information, rights to data portability, right to be forgotten and objection to direct marketing
In October 2020, the NPC released a draft of Personal Information Protection Law (PIPL) which came into effect on November 1, 2021. It becomes China’s first comprehensive law on the protection of personal data which binds compliance obligations previously considered recommended practice and requiring organizations to comply with additional requirements.
One of the longest standing comprehensive data protection laws based on OECD Privacy Guidelines 1980 to ensure an adequate level of data protection to retain its status as an international trading centre and give effect to human rights treaty obligations.
Clear framework (''Data Protection Principles'' or DPP) and dedicated data privacy office
DPP1: Lawful purpose for collection
DPP2: Data accuracy and only for intended use
DPP3: Prohibits the use of personal data for any new purpose unless consent is received
DPP4: Data users take all practicable steps to protect the personal data
DPP5: Ensure openness of their personal data policies and practices
DPP6: Data subject right to access and correction of their own personal data
Personal Data Protection Bill (PDPB) is very much inspired by GDPR and sets rules for how personal data should be processed and stored. The PDPB is currently pending consideration of the Indian Parliament and may undergo significant changes to its current form. The PDPB is expected to come into effect towards the end of 2021:
Clear framework and dedicated data privacy authority
Individuals rights
Cross-border transfer requirements
Once the PDPB is enacted, we should expect widespread effect on almost all business across India's economy to meet the bill's conditions.
The Personal Data Protection Act (PDPA) is a well established data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. The PDPA aims to strengthen and entrench Singapore's competitiveness and position as a trusted, world-class hub for businesses.
Restriction in terms of cross-border movement of data
Mandatory data breach notification
Individual rights including right to access information, right to data portability, right to be forgotten, objection to direct marketing and profiling, right to correct data as well as the right to withdraw consent, use and disclosure of data.
The Act on the Protection of Personal Information ("APPI") regulates privacy protection issues in Japan and the Personal Information Protection Commission ("PPC"), a central agency acts as a supervisory governmental organization on issues of privacy protection. The APPI contains similar provisions as the GDPR.
Restriction on the transfer of personal data to foreign countries
Security requirements and third party management
Individual rights including privacy notices, rights to access information, rights to data portability, rights to be forgotten etc.
On 5 June 2020, the law amending the APPI was enacted, and is expected to enter into force within 2 years of the publication date (i.e., by 12 June 2022).
Sia Partners has assisted many organizations in the assessment of all departments based on Local Data Privacy Laws and GDPR regulation, by proposing an analytical and risk-based approach.
Sia Partners has assisted many organizations in the implementation of data privacy roadmaps, both on Local Data Privacy Laws and GDPR regulation, by proposing a standard but customisable approach, implementation using quick wins or minimal viable compliance manual, followed by an Automation Phase.
The goal of the phased approach is to achieve minimal compliance in the first months. Industrialization & Automation is then applied to achieve an effective and efficient solution. Phase 2 regroups all major IT impacts.
GDPR Maturity Assessment