Published on March 13, 2024 by Devika Jain and Akash
Introduction
Our connection with the internet, whether intentionally or not, means that we most of our personal information such as name, age, location, finances and health is available out there. Such data is, as Clive Humby referred to it in 2006, the new oil. He meant that data like oil is not useful in its raw form; it needs to be refined, processed and turned into something useful[1]. Data in the 21st Century is what oil was in the Industrial Age i.e., economies will now be run by data and those who manage this data efficiently would be the ones who succeed.
Why do we need data?
Organisations use data to identify potential customers and understand their requirements and preferences. Data helps in research for business development and making critical business decisions.
Data on organisations’ servers or received through third-party servers is also the primary source for training artificial intelligence (AI), which we rely on for daily activities such as social media, banking, shopping and entertainment. Service providers process significant amounts of personal data to customise results for users.
Why do we need to protect it?
Access to data by someone other than the intended recipient could cause irreparable financial or reputational damage to an individual or organisation.
Data protection and compliance should be a priority, to prevent data breaches such as the following[2]:
-
Yahoo’s data leak in August 2013 impacted around 3bn accounts globally.
-
India's tie with Alibaba, Aadhaar's, data breach (of identification and biometric information such as photos, names, addresses, email IDs, phone numbers, retina scans and fingerprints) in January 2018 impacted 1.1bn Indians. Aadhaar is a 12-digit individual identification number issued by the Unique Identification Authority of India on behalf of the government of India. The breach had a devastating impact as bank details were vulnerable.
How can we protect it?
Every country has experienced the devastating effects of unauthorised access to data and has subsequently implemented laws, such as the Personal Data Protection Act 2012, to protect it.
The EU and the US were the pioneers in drafting and implementing data protection laws:
-
The Health Insurance Portability and Accountability Act (HIPAA): The HIPAA is a US States Act of Congress that came into effect on 21 August 1996. The HIPAA covers protected health information (PHI) such as medical treatment and medicines, fingerprints, retina scans and medical record numbers. It ensures that only the patient or a person with legal authority to make decisions on behalf of the patient and an authorised representative can access the patient’s medical information. An “authorised representative” refers to the patient’s guardian or any person acting in the place of a parent and who is legally authorised to take healthcare decisions on behalf of a minor or such person to act on behalf of the decedent or the estate[3]. Medical information or healthcare data is protected by healthcare and insurance agencies. The Act prohibits these organisations from disclosing this protected data to anyone except the patient or their authorised representative.
-
The General Data Protection Regulation (GDPR): The EU’s GDPR came into effect on 25 May 2018 and applies to companies in the EU that collect data. The GDPR protects natural persons in terms of the movement of personal data and provides a framework for the movement of this data within and outside the EU.
The GDPR also provides guidelines on how to transfer such data to a developing country and ensures GDPR-like protection to personal data outside the EU. It is defined as a regulation and not a directive, which means that it is directly binding and applicable. A violation could result in a fine of 4% of a company’s global turnover for the previous year or EUR20m, whichever is greater.
-
The Gramm-Leach-Bliley Act (GLBA): Also known as the Financial Services Modernization Act of 1999, this which aims to limit the extent to which financial institutions can control personal data in the US. The Act requires these institutions to explain to their customers how they share information and customers’ right to opt out[4].
CONCLUSION
Data is the driving force of this century, playing a critical role in understanding trends and keeping up with rapidly changing markets and preferences. Although data can simplify our lives in many ways, storing it securely is a challenge, as a breach could cause irreparable damage. Adherence to data privacy measures is one step towards ensuring data protection. Western countries were the first to identify this and draft laws and policies for this; a number of Asian and African countries seem to be lagging behind[5].
How Acuity Knowledge Partners can help
We are experienced in data privacy and cybersecurity laws and help clients with the following:
-
Being prepared for data breaches and incident response
-
Data mapping, gap assessment and system inventory
-
Creating data privacy contract clauses
-
Data privacy impact assessments (DPIAs)
-
Data privacy management
-
Data privacy policies and procedures
-
Regulatory response to data privacy (GDPR, CCPA, HIPAA)
-
Data -haring agreements with third parties
-
Privacy by design and privacy by default
We conduct DPIAs, which are required each time an organisation starts a new project likely to involve high risk or personal information. Complying with these laws is vital in Europe, as the GDPR imposes hefty fines on organisations that fail to do so – up to EUR20m (c.USD20.4m) or 4% of total turnover for the preceding financial year, whichever is greater.
Sources
-
[1] The Drum | Data Isn’t ‘the New Oil’ – It’s Way More Valuable Than That
-
[2] The 15 biggest data breaches of the 21st century | CSO Online
-
[4] Gramm-Leach-Bliley Act | Federal Trade Commission (ftc.gov)
-
[5] General Data Protection Regulation (GDPR) – Official Legal Text (gdpr-info.eu)
Tags:
What's your view?
Thank you for sharing your Comments
Share this on
About the Authors
Devika has been involved in executing various legal support services tasks independently including drafting, reviewing and legal document formatting in Acuity and has 13 years of experience in providing end to end paralegal services to clients worldwide.
She has been part of various projects related to contract lifecycle management, abstraction and summarization and e-discovery services covering US banking & financial companies.
Akash has been involved in managing various projects regarding drafting of contract templates and drafting various contracts like LPA, LLCA, Subscription Agreements etc. for an asset manager. He has also been involved in parsing of fund terms by abstracting and summarizing vital data from the formation till the dilution of funds for a leading sovereign wealth fund in Acuity Knowledge Partners.
He holds over 5 years of experience in legal outsourcing industry to clients worldwide and managed contract drafting, reviewing, abstraction and summarization for some of the world's largest IT, Pharma, Banking firms etc. He also specializes in using CLM and e-discovery platforms like Conga and Relativity.
Blog
Product marketing data specialists in asset mana....
In the fast-paced world of asset management, where precision and timeliness are paramount,....Read More
Blog
Tread carefully when monitoring employees....
The work-from-home (WFH) framework adopted amid the pandemic has made employee monitoring ....Read More
Blog
Web 3.0 for banks – redefining the current len....
“If your business is not on the internet, then your business will be out of businesses....Read More
Blog
The importance of contract redlining
What is redlining? “Redlining” refers to the process of making edits, additions or de....Read More
Like the way we think?
Next time we post something new, we'll send it to your inbox