Data privacy doesn’t stop at the EU border

When “GDPR” is getting searched more often than “Beyoncé,” you know things have gotten critical.

A post shared by Beyoncé (@beyonce)

on Apr 15, 2018 at 9:31am PDT

</div>

Searches for information on the EU’s data privacy regulation are outpacing Queen Bey’s more than 100 million Instagram followers.

Ready or not, GDPR comes into force today, bringing with it confusion and fine concerns. A recent Ponemon survey of 1,000 companies showed that 60% of tech companies would not be ready when GDPR came into force.

While many businesses appear to be making the calculated (or unprepared) decision to take their chances rather than complete GDPR readiness, the EU isn’t the only place updating data regulations. For global businesses, the smarter play is to continue to refining compliance measures. Here’s an update based on other data privacy regulations since we last posted in March:

Bermuda: Personal Information Protection Act (PIPA)

Noting that “many countries recognize this as an important human right and have developed laws to protect individuals’ personal information,” Bermuda’s Personal Information Protection Act (PIPA) comes fully into effect in Dec. 2018. Bermuda follows the global trend towards data protection, but follows a broad definition of personal information as any identifiable information about an individual. Transferred information to a third-party will remain the responsibility of the Bermudan organization performing the transfer, in recognition of the necessity of regular transfers of information in Bermudas financial and insurance markets. Fines for compliance offenses top out at $25,000 and up to two years imprisonment for the responsible individual and up to $250,000 in fines for companies.

Cayman Islands: Data Protection Law (DPL)

Coming into force in Jan. of 2019, the Cayman Islands Data Protection Law (DPL) sound a lot like GDPR with a “data controller,” division of data into personal and sensitive categories, and giving individuals rights to their information. However, violators could find themselves on the wrong end of a search warrant, and the DPL affords the ability to impose liability on corporate directors, secretaries, or officers, but a fine can’t go above $250,000 for a single offense and organizations get up to five days for breach notification. Information transfer to foreign governments will only occur if it is permitted under local laws or order of the Cayman Islands’ Grand Court.

China: Information Security Technology – Personal Information Security Specification

In effect as of May 1, 2018, this voluntary specification addresses many of the same concerns as GDPR: How personal data should be collected, retained, transferred, and protected, as well as specifying breach notification and consent guidelines. Although voluntary, the specification is likely to become influential within China if widely adopted.

India: Telecom Regulatory Authority of India (TRAI) Principles

As of this writing, the Telecom Regulatory Authority of India (Trai) is expected to provide broad principles that will guide data ownership, privacy, and security, but will stop short of providing a complicated law because the space is rapidly evolving. The first draft of recommendations that TRAI hopes will lead to legislation should be drafted by June 2018.

Israel: Privacy Protection Regulations (Data Security)

Enacted in 2017, Israel’s data privacy regulations provided protections with the private and public sectors. International Association of Privacy Professionals (IAPP) described the regulations as “unprecedented around the world for their scope, level of detail, and legal effect,” noting that violation can mean a criminal offense. Granular regulations require multifactor authentication and the rotation of passwords every six months. Most recently, Israel increased fines to 3.2 million Israeli dollars with the goal of increasing compliance.

New Zealand: 2015 Cyber Security Strategy and Action Plan Refresh

Cybersecurity is seen as foundational for protecting citizens and economic growth in New Zealand, with the announcement of a refresh to the country’s cybersecurity action plan. Broadcasting, Communications and Digital Media Minister Clare Curran also cited goals to make make Information and communication technology (ICT) a major contributor to the New Zealand’s gross domestic product (GDP). A working group of various government institutions and non-governmental partners will start preparing guidelines in July of 2018 and will also involve the citizenry in formulating an updated plan.

Thailand: Data Protection Act

Approved at the beginning of May, Thailand’s Data Protection Act is expected to come into force within 2018. Enacted after mobile phone operator True Move exposed 46,000 records without repercussions, the new law will be in aligned with GDPR.

Viet Nam: Law on Cybersecurity (Draft)

The latest draft of VIet Nam’s Law on Cybersecurity now requires offshore entities who provide telecom of internet services to comply with the law as well as have headquarters or representatives in country and store data there as well. But due to vague wording, there may or may not be a new restriction on storing data within Viet Nam. The law, which has been through 16 drafts at the time of this writing, remains open for comment.

We Can Help You Protect Your Customers

Many organizations claim that they’re putting the customer first. For a global public growing increasingly aware of breach consequences, that will likely mean taking care of their data in alignment with government regulations. If you’d like help with compliant authentication or would prefer to get it done with a whole lot less hassle, please reach out to sales@auth0.com.