30th Floor, North Tower, Beijing Kerry Centre, 1 Guanghua Road, Chaoyang District, Beijing, 100020
+86 10 8519 0011
50th Floor, Central Plaza, 18 Harbour Road, Wan Chai, Hong Kong
+852 2521 5621
Room 4605, Park Place, 1601 Nanjing West Road, Jing An District, Shanghai, 200040
+8621 6321 1166
Suite 2405, 24/F, SCIA Tower, Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone of Shenzhen, Shenzhen, 518000
+86 755 6123 5666
Select your language
Please accept the geolocation request appearing in your browser
Find other officesThe need for multinational organisations to familiarise themselves with their regulatory obligations around the world is further reflected by the results of analysis conducted by the cyber team at international professional services firm Pinsent Masons which found that 30% of the cyber-related matters the team worked on in the past year involved at least two jurisdictions.
Data security obligations have been enshrined in a range of data protection legislation and sector-based regulations for years, but in recent times law makers and regulators have moved to stiffen the requirements businesses must meet around data security to reflect the move businesses have made to meet growing customer demand for digital services and the increased and evolving cyber risk.
Perhaps the most significant development has been the implementation of the General Data Protection Regulation (GDPR).
The extra-territorial effect of the GDPR makes it relevant to businesses that may not think of themselves as subject to it. Guidance published by the European Data Protection Board (EDPB) in January 2020 confirmed that whether or not a business is subject to the GDPR depends on whether a particular processing activity it engages in falls within the scope of the Regulation. It means that organisations which either have offices or some form of "establishment" in the EEA, or which target sales of goods or services to individuals in the EEA or track the activities of individuals in the EEA can nevertheless be subject to the GDPR.
The territorial scope of the GDPR matters because of the tough new rules it introduced. Not only did the GDPR bolster expectations of the way organisations provide for the security of the personal data they collect, use and store, it introduced for the first time in EU legislation a general duty to notify personal data breaches to data protection authorities and data subjects, in certain circumstances, within 72 hours of such a breach being identified. Businesses in some sectors of the EU economy, such as telecoms and banking, already faced data breach notification requirements under earlier legislation.
In the context of cyber incidents, the EDPB's guidance makes organisations' assessment of whether or not the GDPR applies a nuanced one, with a particular focus upon the processing activities relevant to the incident. To carry out this assessment in the typical tight timescales following an incident can be particularly challenging for organisations and requires expert advice – 25% of instructions to our European cyber teams involve the provision of advice to non-EEA entities as to whether or not the GDPR applies.
In positive news for businesses, further guidance has been promised by the EDPB in relation to the 'one stop shop' mechanism that applies under the GDPR. This is the system that enables organisations to engage with just one data protection authority in respect of incidents or other matters that have a cross-border impact, instead of potentially tens of different authorities within the EU as was previously the case.
Our experience, as the EDPB's own reported findings support, is that the way the one stop shop mechanism operates could be improved, so further clarification of the procedural steps and harmonisation of the approach taken by data protection authorities across the EU would be welcome.
The GDPR has been used as a model by other countries around the world that have moved to update, or introduce entirely new, data protection legislation. Brazil, Thailand and Panama are among the countries that have adopted new legislation that aligns closely to the GDPR.
Stuart Davey
Partner
It is incumbent on businesses operating across jurisdictions to familiarise themselves with their regulatory requirements and prepare effective, tested incident response plans
Mandatory data breach reporting is increasingly being favoured by policy makers. Just this month it was announced that changes to data protection rules in Singapore are planned, which would introduce mandatory breach reporting and allow for fines of up to 10% of annual turnover. In Hong Kong, a discussion paper issued in January 2020 indicated general support for the introduction of a mandatory breach notification mechanism, though legislative change is likely to be some years away.
Potential reform to data protection law in the UK could follow the end of the Brexit transition period, as hinted at in the UK government's recent national data strategy paper, but in the short-term at least a 'UK GDPR' will apply, as the legislation is set to be retained in UK domestic law from 1 January 2021.
However, even though the UK GDPR will mirror the obligations in the GDPR, organisations which operate in both the UK and across the EEA will still effectively be subject to two regimes and therefore will have to adapt to supervision by both the ICO and a lead supervisory authority in the EEA. This means that from the end of transition period, those organisations may be exposed to two separate enforcement regimes, including two sets of penalties, in respect of incidents which breach both UK and EU data protection laws.
With the legal frameworks across the world set to change further around data security and breach reporting, and as cyber risk continues to evolve and pose a threat, it is incumbent on businesses operating across jurisdictions to familiarise themselves with their regulatory requirements and prepare effective, tested incident response plans.
Written by
Stay ahead by signing up to our weekly email of news and expert analysis, tailored for you
Data, privacy & cyber
Valid email address
Thanks, we have sent an email to
Please check your inbox to confirm your subscription. The confirmation email may take up to 15 minutes to arrive.
• Check your spam or junk folder
• Ensure your email address was entered correctly.
• You can amend your details and resubmit if required
• If the email has still not arrived, please contact us for assistance
OUT-LAW NEWS
Businesses in Germany face increased risks of mass claims being raised against them if personal data they are responsible for is made available for sale on the ‘dark web’, experts have said following a ruling by the country’s highest court.
OUT-LAW NEWS
A major new review has been launched into the role of artificial intelligence across the finance sector launched by the UK’s financial watchdog.
OUT-LAW NEWS
Global businesses importing goods to the US on Friday face immediate uncertainty over the rate of tariffs that will apply to imported products following a major ruling by the US’ highest court, according to an expert in international trade.
We use cookies that are essential for our site to work. To improve our site, we would like to use additional cookies to help us understand how visitors use it, measure traffic to our site from social media platforms and to personalise your experience. Some of the cookies that we use are provided by third parties. To accept all cookies click ‘accept all’. To reject all optional cookies click ‘reject all’. To choose which optional cookies to allow click ‘cookie settings’. This tool uses a cookie to remember your choices.
Please visit our cookie policy for more information.
