For companies that operate in international jurisdictions, it is vital to stay up-to-date on legislative actions that affect data retention policies and compliance. This allows companies to make internal adjustments as necessary and to avoid costly sanctions and other harmful penalties for non-compliance. Here are just a few upcoming laws worth noting:

European Union – General Data Protection Regulation: In May of 2016, EU policy makers implemented a comprehensive legislative reform of personal data protection rules. Going into effect on May 25, 2018, it places a high standard of protection on personal data held by companies by regulating the collection, use, storage, and breach notification protocol of such data. The regulation also imposes sharply increased fines and sanctions for violations. Broad in scope, it will particularly affect industries such as the financial sector, which by nature collects and stores large amounts of personal data. Read more here.

Australia – Mandatory Data Breach Notification (MDBN): Introduced into the House of Representatives last month as the Privacy Amendment (Notifiable Data Breaches) Bill and anticipated to take effect in late 2017, the Australia Federal Parliament is expected to pass MDBN. This law will require companies that suffer a suspected data breach that is likely to cause serious harm to both investigate the breach and to notify both the impacted individuals and the Privacy Commissioner of the breach. Previously, companies were not required to notify anyone of a data breach or hack. If passed, MDBN will be implemented as part of Australia’s Privacy Act, broadly affecting companies holding personal data in Australia. Here is the current text of the bill, as it reads in the House.

China – Cybersecurity Law:  On November 7th, China’s Standing Committee of the National People’s Congress adopted the Cybersecurity Law. Taking effect on June 1, 2017, this law will have sweeping effects on business operations in China, particularly for internet and technology companies. The law will require network operators to comply with testing and certification requirements that pertain to computer equipment and network operations and will grant the government access to stored data for suspected violations.

This law also includes data localization requirements (personal data on Chinese citizens must be kept on domestic servers), personal data use and disclosure requirements, “real name” polices (users of instant message and other network services are required to register with their real identity), and whistleblower protections, among other things. A variety of penalties are in place for violations, depending on the type and severity of the violation. Here is the final authorized version of the law, as provided by China’s official press agency.

Contact Zasio today to see how our host of software solutions and consulting services can help you stay complaint with your data retention policies and practices.


Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Author: Jared Walker, JD

Author: Jared Walker, JD

Senior Research Analyst, Team Lead / Licensed Attorney