Data protection is not a local issue

By Jean G. Vidal-Font, Senior Associate at Ferraiuoli LLC

This article was originally published in Spanish in Microjuris. 

Any business that seeks to be seriously competitive in today's economy needs to have a digital strategy to store, either directly or through third parties, personal data of customers. Just five years ago, no one would have blamed a local business for thinking that they would only have to comply with local legislation. That is no longer the case as businesses have to comply regionally or even globally.

Data protection laws address the way in which businesses receive, store and use the data they obtain from consumers who buy their product or service, access their websites or use their digital platforms. As an example, when a user enters an app to order food, it is likely that said app will save his name, email, physical address, IP address, the type of computer or mobile that he uses and, depending on the place, the exact location where the user is.

Businesses typically use this data to follow up by sending promotional communications, provide services, or sell the information to third parties. This is precisely what is regulated by data protection laws.

The common denominator is that businesses have an obligation to require the consent of the users and disclose to them what data they are collecting and for what purposes. While we are tempted to think that this is a local issue, the way services are outsourced today force local businesses to comply with foreign legislation.

For example, if a local business has users accessing from the European Union, it must comply with the EU’s GDPR (General Data Protection Regulation) despite not being settled in the European Union. On the other hand, the servers that host local businesses digital platforms can be located in another country, such as Colombia or Mexico, which could imply certain compliance with the laws of those countries. 

As businesses actively cross geographical borders, they also need to increase their compliance with data protection legislation. How should a business proceed? First, they need to know theirselves. They must know what data they store, where and for what purposes, what tools it has to delete or modify such data and which privacy policies it offers for users. Therefore, a consultation with a foreign law firm would certainly be cheaper than a sanction by the tax authority of such foreign country for a violation of the country’s data protection legislation. 

Globalization and the movement of businesses into cloud services means that personal data goes well beyond the geographical borders where businesses works. To stay ahead of the curve, and in legal compliance, it is necessary to think beyond local regarding data protection.