Developing a commercial data protection strategy on a global scale

An immense volume of personal information (PI) (or personal data or personally identifiable information as it is referred to in, for example, in the EU and the US, respectively) continues to proliferate and flow daily around the world. Typical examples of this include e-mail traffic and streams of PI relating to employees of global corporations to human resources data hubs located within the US. Some of this PI needs to be accessible worldwide. 

Information, including PI, is a valuable enterprise asset. Hard facts and figures are essential for making decisions. Information assets must be used effectively to meet business goals, but regulatory requirements, customer and employee expectations of accuracy and security also need to be met. However, privacy and data protection (PDP) laws across the world form a complicated patchwork, and compliance can seriously have a negative effect and impede business. 

A well-constructed and comprehensive compliance program can, however, provide a solution to these various competing interests and so represents an effective risk-management tool. This note is intended to assist law departments in formulating such a program. To determine whether your PI governance is adequate, you should perform a gap analysis. The aim of this exercise is to identify current business activities and compliance mechanisms and to determine whether and, if so, what (further) policies, procedures, systems and controls are required to ensure compliance. 

PI is often collected from:

• Candidates and current employees.
• Individual customers and suppliers.
• Individuals at customer and supplier organizations. 

This should be sourced from emails, call-centre conversations, online account application forms, business acceptance procedures and gathering business cards at meetings. PI (Personal Information) about job candidates is sometimes collected from third-party sources, such as background-screening services and criminal-records bureaus. Employee PI may also be collected from the monitoring of e-mails and telephone conversations (where permitted). RFID and GPS are examples of technologies frequently used to collect PI.