Overview: Global privacy and data protection strategy

Developing a strategy for cross jurisdictional compliance

To develop a strategy for cross jurisdictional privacy and data protection, it is necessary to build a functional understanding of the physical assets, information located and the activities taking place within each jurisdiction. It is also necessary have a functional understanding of the legal regime in each jurisdiction with particular attention to:

  • the regime protecting information and communications from unauthorized access or interception;
  • rules that prevent cross border transfers ("on soil requirements") and/or which impose requirements that apply before information can be sent or made accessible outside the jurisdiction;
  • the privacy regime and whether or not it could be used to protect information not collected from residents in the jurisdiction;
  • making sure that local privacy policies and the information handling practices are consistent with the local law relating to collection, use or processing, disclosure and destruction or de-identification; and
  • information regulations that apply to specific industry sectors that may be applicable to your business and or the business that are your customers.

See Developing a strategy for cross jurisdictional compliance.

Your strategy needs to consider a range of elements including:

  • making sure that the transfers and disclosures of information that are taking place are consistent with the laws and policies in place in the source jurisdiction; and
  • making sure that information is not being placed at risk by procedures or processes taking place in a location where there may be no effective legal remedy for a failure in compliance and/or where security procedures cannot be assured.

The US National Institute of Standards and Technology (NIST) Framework for improving critical infrastructure cybersecurity, which has been adopted by the Australian Government and ASIC, outlines that a resilient strategy should:

  • identify the security environment;
  • protect the security system;
  • detect security breaches;
  • incorporate a data breach response strategy; and
  • incorporate a recovery strategy following a data breach.

See Analysing your data and data flows.

See Anticipating issues and risks.

See Selecting local experts and asking the right questions.

Documenting, implementing and maintaining compliance

Generally, strong technical controls and procedures are used to help prevent information from being hacked or a system from being compromised by malware. Technical controls can be overcome with well targeted and sometimes simple efforts in social engineering. There is no point in having strong software, network security and well trained personnel if relevant physical assets are vulnerable due to low security awareness, poor business practices or vulnerable physical security.

It is important to maintain a needs-based information control system across the organization. Access controls must ensure that information is not available to those who have no good reason to access it. Your strategy also needs to guard against a determined insider — background checking, security training, a culture that encourages and rewards reporting, appropriate logging of access incidents and information used together with periodic auditing and penetration testing must form part of the picture.

See Documenting, implementing and maintaining compliance.

In this subtopic, we discuss your objectives in developing a global privacy and data protection strategy. We identify aspects of your business that should be considered, the information collected and processed and the location of that information. We describe considerations in carrying out data mapping, anticipated issues and risks and also provide guidance regarding the selection of local experts. Finally, we provide suggestions for implementing and maintaining compliance.