The European Union (EU) has adopted the unified law General Data Protection Regulation (GDPR) for all EU member states to ensure protection of personal data or information of an individual within the EU. By repealing the previous Data Protection Directive of 1995, the GDPR came into force on 25 May 2018 with the aim to take the data protection issues to a different level as it has introduced stricter regulatory obligations, wider territorial scope and hefty fine for non-compliance.
GDPR defines 'personal data' in a very broad way, it includes any information that can directly or indirectly identify a natural person, e.g. name, address, credit card number, location data, online identifier, IP address, biometric data and many more. The term 'processing' means any activity related to personal data, e.g. collection, storage, transfer, alteration and erasure etc. So, if a Bangladeshi company sells goods to European customers or provides services to Eu¬ropean consumers as the end users, the company in fact is processing personal data of the EU individuals.
Why is it important for a Bangladeshi business to comply with a European law? In short, the answer is, GDPR is a local law with global reach. The provisions of GDPR are applicable to all data processing activities related to personal data of EU individuals, including offering goods and services to EU and monitoring their behaviour. The location of the data controller, data processor and processing activities is immaterial as long as the data processing is related to an EU individual. As a result, any Bangladeshi person or company that offers goods or services to EU or monitor behaviour of an EU individuals will be obliged to follow GDPR provisions.
In the phrase 'offering goods and services', offer includes both conventional offer under a formal contract or offering online though email, posting an advertisement on a browser, webpage or social media, etc. and other online and offline promotional activities. Another term 'monitoring behaviour' means tracking and analysing online behaviour of an individual to predict his/her personal preferences, i.e. profiling. The classic example of monitoring behaviour is the recent incident of Cambridge Analytica which allegedly collected and harvested personal data of millions of Facebook users and used them to influence US presidential election and Brexit.
What might be potential consequences for non-compliance? Bangladesh is already an established name for IT Process outsourcing and the second largest supplier of online labour. Further, government has been taking numerous initiatives driven by ICT to turn the country digitalised. Many freelancers and IT companies have outsourcing assignments from EU countries where personal data are used and processed. Under the GDPR, any transfer of personal data to a third country (outside of EU) should fulfill some extra conditions – data destination country should ensure adequate protection of personal data. Due to lack of data protection legislation in Bangladesh and non-compliance with GDPR, Bangladeshi outsourcing service providers may lose their existing and future clients from EU.
Additionally, any infringement (data breach) and/or non-compliance of GDPR may result in fine up to 20 million euro (more than 204 crore taka) or 4% of the total global annual turnover of the preceding fi-nancial year of a company, whichever is higher. Along with financial damages, Bangladeshi companies will face reputational damages of their business. Customers may have no confidence and trust on a company which is unable to protect personal data of its customers. Above all, potential foreign investors in ICT sector may not consider Bangladesh as an ideal destination for tech investment.
A recent study reveals, 20% Singaporean company may have to shut down their business with EU and India may loss 2.5 billon dollar in outsourcing business due to non-compliance with GDPR. Furthermore, European Data Protection Authorities are proactive to ensure personal data protection and to implement GDPR compliance. They already have started imposing fines on companies that infringe personal data and privacy rights of their citizens.
What could be the solution? First and most importantly, the government should enact a law for personal data protection. Though the Constitution of Bangladesh and some other municipal laws have isolated provisions on protection of various aspects of privacy, something more is required to protect personal data. Enactment of such a law has the prospects to ensure legal and systematic collection, processing and use of personal information of the data subjects. Secondly, data protection and privacy culture should be ensured in every organisation through adequate privacy policies. Appropriate legal, technical, strategic and administrative measures for data protection may enable Bangladeshi companies to comply with GDPR and continue their business with the EU.
With around 25% of total trade, the EU is Bangladesh's main trading partner and Bangladesh is the EU's 35th largest trading partner in goods. Bangladesh is on the way to attain the status of developing country soon and the country will have to face stiffer challenges in terms of business and trade as it will not get duty-free access to the EU as it used to get as a Least Developed Country. Bangladesh's competitors in IT outsourcing business have already taken initiatives in this regard, Philippines enacted personal information protection law in 2011, India has issued White Paper which was developed by the Committee of Experts on Data Protection recently. In such a situation, we do not have time to sit idle anymore and observe the loss of markets only because of absence of a personal data protection law.
The writers are respectively Senior GDPR and GRC Manager, EUGDPR Institute, Denmark; and Senior Lecturer in Law, University of Malaya, Malaysia.