If your software business handles the personally identifiable information (PII) of citizens of other countries, you should get familiar with data privacy laws across the world – because you’re likely bound to them. If you violate the laws, you may be liable for hefty fines (or worse).
For example, if you’re handling the data of a citizen of a European Union country, you must follow the General Data Privacy Regulation (GDPR) standards to protect their data. The same goes for the PII of citizens of Brazil, Israel, Argentina, Russia, or countless other countries. So – what steps do you take to make sure you are compliant?
1. Check the Data Privacy Laws of the Country
It all starts with research. If you’re handling the data of an Italian citizen, get your team to research the data privacy laws of the European Union, specifically the GDPR, and make sure your entire organization is following the rules set forth.
More countries are releasing more stringent rules around data privacy regulation every day, and it can be daunting to stay on top of. Consider assigning a member of your team to be the point person for all things data privacy – and stay on top of new regulations and legislations as they go through the process in their respective countries.
2. Check if you have to Register your Business with a Government Entity
Some countries require businesses to register with a central database managed by a government entity – informing the entity that the business is handling the PII of their citizens. Understand what entity this is, and what you have to do to register.
Some countries may require you to register using a form in their own language. It may be a good idea to get local consultant or counsel, located in the country, to guide you through the process – as you are likely not the first, nor the last, that needs help with this.
3. Check if you have to Host Data on their Soil
Certain jurisdictions require you to host the data of their citizens on their soil, before you transfer the data out into your jurisdiction.
Review the data privacy standards carefully to understand if this applies to you. It may be that the data is first collected and hosted on databases hosted in the country, before you export to your databases in the United States – which brings us to our next point.
4. Check if there are Regulations to Follow if you are Exporting Data to the United States
There may be extra steps to this process, especially if the country your business is headquartered in is not considered as a country that follows “appropriate” data privacy standards.
Fun fact: the United States is on the list of countries NOT following “appropriate” data privacy standards for many countries. Make sure you’re on top of this.
5. Implement Proper Information Security Policies and Procedures
After you’ve done your research, it’s time to look inside your organization to ensure that you are employing appropriate information security policies and procedures to meet the requirements of international jurisdictions.
Just drafting policies will not be enough – you must make sure that your organization, as a whole, is doing it all correctly.
This will also involve having deep discussions with your engineering team to understand the cost benefit analysis of implementing international data privacy requirements.
Let us Help
This is a very high level overview of how to approach handling the PII of international citizens. Kader Law can help you understand your requirements with our outside general counsel offering, and refer you to data privacy consultants, applications, and attorneys if and when necessary. Let’s connect.
This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.