Rulefinder
Data Privacy

aosphere senior lawyers have identified key questions and scenarios for local counsel to consider.

Topics

• Sanctions and regulator approach to enforcement
• Organisation level detailed requirements – regulator registration, data protection officers, CISOs, compliance programmes, privacy policies, processing registers
• Data privacy in the workplace - we provide FAQs on key data privacy issues that arise across the employee lifecycle (e.g. at recruitment, during employment, and when the employment relationship has ended). Learn more about our employment practical FAQs here
• Consent – whether consent is needed, and how to validly request consent. Consideration of what constitutes valid consent in a range of scenarios, e.g. incentive given for consent, discounts, provision of goods or services. Valid ways to indicate content, e.g. pre-completed electronic tick box, implied consent
• Privacy notice – when required, what information to provide and when
• Individual choice and data subject requests - what requests to comply with, action and timelines to comply with access, objection, deletion, rectification, portability and more. Plus what happens when consent is withdrawn
• Privacy assessment / DPIAs - when required / how to do them 
• Data transfer and localisation rules – how to transfer intra-group, to third parties domestically or cross-border, what contract terms are needed, whether you can sell data. Learn more about our data transfer coverage here.
• Breach response – what to do: notify the regulator or individual, how to notify, what else to do and  the sanctions for failing to notify
• Service providers 
• Direct Marketing - how you can collect customer data, when you need consent to send marketing communications. Learn more about our direct marketing practical FAQs here.
• Additional bank secrecy and outsourcing content is available for financial institutions 

Read more on our coverage of direct marketing, international data transfers, and employment.

Legislation

We cover data protection and privacy laws around the world, including:

• European General Data Protection Regulation (GDPR) 
• EU e-Privacy Directive
• US Federal Trade Commission Act (FTC Act)
• US Children’s Online Privacy Protection Act (COPPA)
• At US State Level, data privacy laws analysed include California Consumer Privacy Act (CCPA) and California Erasure Law
• China Personal Information Protection Law (PIPL)
• Singapore Personal Data Protection Act 2012 and Personal Data Protection (Amendment) Act 2020, Cybersecurity Act (No. 9 of 2018)

Breach Response App

When it comes to data breach, the conventional wisdom is when, and not if, an organisation will suffer a data breach. Notifying the regulator and affected individuals in accordance with local law requirements is a key part of every organisation’s breach response plan. Correct handling of data breach notification requirements can avoid fines and other sanctions which can run into millions of dollars, and minimise reputational damage. 

When breach notification rules vary across the globe, and the lack of a single rule book, together with the short time frame for reporting, makes keeping on top of breach notification requirements challenging. For example, in the United States, breach notification laws vary across all 50 US states. 

Our Breach Response application pulls together the breach notification reporting requirements in 50+ jurisdictions and all US states, and highlights in an instance when there is a requirement to notify the regulator or affected individuals and applicable time limits. 

View sample content from the Breach Response App (also available during a free trial).

Horizon Scanning and Sanctions Tracking

Viewing and comparing data privacy obligations at individual jurisdiction level is vital, but we also know that in-house teams need to see and track developments globally. We monitor for global developments on a daily basis and consolidate legal analysis into user friendly tracker documents, covering:

• Privacy Law Developments – in one excel document, users can filter and search our horizon scanning tool which tracks forthcoming data protection and privacy law developments. Helps in-house teams stay on top of compliance, as jurisdictions move increasingly towards a GDPR style of privacy regulation.
• Sanctions Tracking – we track examples of regulatory censures across 55+ jurisdictions, including the EU and the United States. Subscribers can access sanctions information in one place, with the ability to filter on the jurisdiction, regulatory authority type of sanction, plus a summary and topic of the action taken

Schrems II Toolkit

With so much noise surrounding Schrems II, it can be hard to track the latest regulatory guidance and understand the implications. Our Schrems II Toolkit analyses and brings together the latest regulatory guidance in one place, colour-coded based on impact.

Designed and managed by senior lawyers, the toolkit provides: 

• Curated summaries of the latest fines and other enforcement decisions relevant to Schrems II, with links through to the underlying decision/commentary
• Considered analysis: the Schrems II Toolkit and our email alerting service is managed by senior lawyers who consider the impact of something, before explaining it and publishing it for subscribers
• A detailed but user-friendly resource to navigate regulatory guidance on Schrems II, including:
  • a practical 6-step workflow to help a user implement European guidance
  • a template international data mapping table - a list of transfer impact assessment questions to be shared with the data importer (regarding the data importer itself, and the relevant legal and practical issues in the recipient jurisdiction), and
  •  a list of key legal and practical issues affecting specific recipient jurisdictions (to support third country legal analyses), wherever a regulator or other authority has published a legal study on that jurisdiction (currently covering India, Russia, China and the USA).

Territorial Scope View

This proprietary application considers key fact patterns, e.g. where your organisation processes data, where individuals are located, where your organisation has a presence, and governing law of relevant contracts.

Subscribers can input scenarios to build a picture of which jurisdiction(s) rules are relevant and need to be considered further. 

Sample results...

From these sample fact pattern results you can see that the report will show you the headlines in terms of application of laws, while the expandable comments [c] and full reports for each jurisdiction clarify the exact scenarios in which local rules apply to aid practical compliance.

This helps determine which jurisdictions require further analysis within Rulefinder Data Privacy.