Developing a strategy for cross jurisdictional compliance
To develop a strategy for cross jurisdictional privacy and data protection, it is necessary to build a functional understanding of the physical assets, information located and the activities taking place within each jurisdiction. It is also necessary have a functional understanding of the legal regime in each jurisdiction with particular attention to:
- the regime protecting information and communications from unauthorized access or interception;
- rules that prevent cross border transfers ("on soil requirements") and/or which impose requirements that apply before information can be sent or made accessible outside the jurisdiction;
- the privacy regime and whether or not it could be used to protect information not collected from residents in the jurisdiction;
- making sure that local privacy policies and the information handling practices are consistent with the local law relating to collection, use or processing, disclosure and destruction or de-identification; and
- information regulations that apply to specific industry sectors that may be applicable to your business and or the business that are your customers.
See Developing a strategy for cross jurisdictional compliance.
Your strategy needs to consider a range of elements including:
- making sure that the transfers and disclosures of information that are taking place are consistent with the laws and policies in place in the source jurisdiction; and
- making sure that information is not being placed at risk by procedures or processes taking place in a location where there may be no effective legal remedy for a failure in compliance and/or where security procedures cannot be assured.
The US National Institute of Standards and Technology (NIST) Framework for improving critical infrastructure cybersecurity, which has been adopted by the Australian Government and ASIC, outlines that a resilient strategy should:
- identify the security environment;
- protect the security system;
- detect security breaches;
- incorporate a data breach response strategy; and
- incorporate a recovery strategy following a data breach.
See Analysing your data and data flows.
See Anticipating issues and risks.
See Selecting local experts and asking the right questions.