This week I'm researching data privacy/data security conundrums that global companies face. There are several, because different countries have different laws on the subject, and some countries (like the United States) have several different laws on the subject. Monday, the advice was to first find out where the data resides because that will determine which laws apply. In several cases, that is true. Or at least it's a good starting point. But it's not always true, so it's certainly not the final word on the matter.
Tuesday, I had the opportunity to speak with Janine Bowen, a partner in the Atlanta offices of McKenna Long & Aldridge. She focuses her practice on commercial transactions centered around technology and intellectual property, and she agreed that two of the biggest compliance issues for companies that operate on a global scale are information security and data privacy. (The same is largely true for companies using cloud computing, but that's a post for another day.)
She offered a hypothetical example about a global company:
Say they have some sort of new performance management system that is going to be globally run out of the Atlanta office, and they need to figure out how to get records for employees in the European Union over to Atlanta. That's when you have a problem because you've got to make sure you've got the right level of consent from the individuals whose data it is for you to move it around.
What a lot of people miss with the EU data protection directive, Bowen says, is that it doesn't matter where the data is located or housed. What matters is where the person resides whose data it is. California and Massachusetts data breach notification laws are constructed the same way. They apply to California and Massachusetts residents, not to data being housed in those states.
So what's a global company subject to so many laws to do? Bowen says she knows of no technology that's set up to flag data based on whose it is and where that person lives, so technology may not be much help yet. And experts are debating the best approach in those circumstances. Some, according to Bowen, say companies should model their practices after the EU data protection directive requirements. If they do that, they're usually covered. That won't necessarily work in every circumstance, but "it's a good starting point," Bowen says.