By: Sonny Zulhuda
Implications of Data Protection Laws to Business Organizations
Whichever approach being preferred, it is quite true to forewarn industries and business organizations that the legislatures worldwide are seeking even wider legal measures to protect personal information. It will someday come to the point where all matters will be regulated.
To enable continued business activities and growth, organizations needs to be alert of the legal risks surrounding the personal data protection. The legal fences being enacted will automatically reduce the organizations’ liberty to conduct activities previously enjoyed. Especially with ever increasing consumerism that keeps watching the industries, puts them in liability risks whenever principles of data collection and use is ever infringed. The lack of awareness in this aspect will certainly position them in high risk too. There seems no available option for business organizations other than to follow and comprehend the development of the law and safely avoid legal liabilities.
The education, compliance and operational activities will necessitate strategic palling and implementation. It has been noted that in most cases, companies are waiting to see the implementation of new rules and laws taking place, because the effort and expenses of conforming to the guidelines are not small. This ‘wait and see’ attitude by business organizations is a rather passive but very risky one. Instead, they should adopt more proactive and less risky measures in dealing with the liability risks of personal data protection. And this can only be materialized with the proper and strategic planning supported by strong awareness of the problem.
Other than that, financial consideration is among the utmost concern. The compliance to new rules of personal data protection in the US costs up to 30 dollar billions (Actonline.org, 5/8/2001). This is among other things due to the needs for awareness, administrative compliance, systems adjustment and other compliance matters.
For better understanding of the implications, organizations should drag their attention to the following aspects of risks:
Legal Liability Risk – The law (whether passed or proposed) on personal data protection prescribes rights, obligations and duties to be assumed by all parties involved in the personal data collections, use and management. The data user companies would therefore be affected. For the implementation of these rights and duties, the law regulates the manner of enforcement, and in event of contravention or neglect of those rules, the law provides for penalties, both for criminal and civil claims.
Financial Risk – Whenever there is new law, there must be new cost of implementation. In this case, personal data protection law prescribes that vast amount of data retained by companies would have to be re-administered in accordance with the new rules. New set of internal data privacy and security measures would need to be prepared. There is also substantial cost incurred in complying with the requirements of updating and notifying data subjects about their personal data and not less important costs for updating the information processing and computing systems to support the new mechanism.
Reputation Risk – Personal data protection law is so much related to the notion of good governance and due diligence. Especially because the law involves mainly rights of individuals that are involved in the business: employees, partners, investors, as well as customers. Thus the level of compliance to the new law will substantially influence the reputation enjoyed by them.
International Trade Risk – The non-awareness of the personal data protection law gives rise to some difficulties and barrier to a trans-border business. This is because the new law would restrict a trans-border data flow to countries without having adequate protection for personal data. At the same time, other countries’ legislation, e.g. that of European countries, also has similar restriction. Hence, personal data protection law can be a significant growth factor for international practice of businesses.
Dealing with Risk: Towards Personal Data Management
The privacy risks have been in important aspect of good practice for information security management. A close look to the international standard of ISO 17799 on information security reveals that it identifies some aspects closely related to the protection of privacy and confidential information as follows:
- Awareness of legal obligations
- Complying with the data protection law or equivalent
- Employees’ responsibility to protect confidentiality of data
- Respecting privacy in the workplace
- Establishing the task force for planning, developing and implementing good personal data policy
It is very crucial that organizations should understand first the position of laws that may implicate their business activities. Normally, persons responsible for Human Resources Management are to ensure that all employees are fully aware of their legal responsibilities with respect to their use of computer based information systems and data, especially that relates to the use and processing of personal information.
This presupposition shall also include the need to understand upcoming law on the subject. Like the case in Malaysia, the data protection bill has come to the picture for about four years, undergoing many changes due to comments and proposals from public at large.
This awareness of legal aspects of personal data is important so that users do not inadvertently contravene legal requirements. Familiarity with relevant legal requirements to their duties and functions should be a continuous requirement of the organization’s personal data policy. Data protection legislation normally covers all types of information which may be either in electronic form or held as manual records.
The legislation normally relates to the protection of the rights of individual persons. In many countries it also covers medical records although increasingly this type of information is governed by separate legislation. Internationally, Data Protection has become an important issue. This policy covers its relevance to staff and third parties. For confidential information, it shall be the practice that all employees are required to sign a formal undertaking concerning the need to protect the confidentiality of information, both during and after contractual relations with the organization. It is important for the organizations to create a culture of respect for employee’s privacy in the workplace. However, where the monitoring of employees’ online activity at work is perceived to be appealing for achieving business objectives, such monitoring shall be put in concise policy and clearly communicated to employees.
Finally, as part of creating ‘inner fences’ to the risk management, organizations shall consider establishing special team to plan, develop and execute series of necessary policies in relation with personal data protection.
A proper and comprehensive policy should consider all stages to be involved: preliminary, developmental and operational. The works shall begin with thorough analysis of the needs for awareness & education programs, IT system enhancement, administrative adjustments and associated financial implications. Among the key works to consider in developing the policies are:
- Review privacy policies in accordance with the prescribed data protection principles including email use policy, website terms and conditions, confidentiality in employment agreement and policy for customer relationship management.
- To review their practices of data matching and direct marketing;
- To make this policy available and accessible to all employees, clients, and potential customers;
- To develop sustainable security system to protect the personal data retained by the industries;
- To review the current practice of exchanging and transferring personal data with companies or individuals outside the border of their own country, especially those in the countries without specific adequate legal protection for personal data;
- To prepare code of practice for guidance in complying with requirement of the law, in an association representing the data users; and
- To provide mechanism that allows two-ways communications with consumers in relation with the use of their personal data.
Finally: Let the Business Continue
With the global profits and wealth that today’s information economy promises, business organizations surely do not want to miss the train. For this, they seek to ever redefining the way they run the business by adopting the advantage of information and communications technologies (ICT). These tools have been increasingly exploited in order to secure any single opportunities made possible by the information age.
The controversial part that pursues, however, centers at the clash of demands from the two different ends of the business: corporations and consumers. On one hand, corporations wish to secure as many informational assets as possible that include consumers’ personal information. On the other hand, consumers have now demanded for higher protection on their privacy right including right to control the flow and use of their own personal information. Because of this apparent controversy, in some part of the world, businesses are forced to make some adjustments on their dealing with personal data and information. This appears to be very crucial for them in order to win the consumers’ confidence.
The preceding discussion had reflected the complexity of this issue. Its clear understanding and working knowledge of associated risks management will determine the survival and growth of today’s business organizations. It is submitted that such knowledge will help organizations in creating the rules of game and best practices in relation with the collection and use of personal data that balances the interests of all parties involved in the game.
As the bottom rule one can say that personal data of individuals is a very important asset of business that would require proper management. Otherwise, these assets may just turn to liabilities.