Many of our readers work at companies that operate internationally. They may collect, store and process data from users all over the world. In our hyper-connected world, this all seems fairly straightforward, until you consider the impacts of all of the varying legal jurisdictions. A company could operate in ten different countries and face ten completely different regulatory environments. This can make compliance an absolute nightmare—the company needs to be aware of and abide by all of the varying laws and regulations that apply to it, some of which may even contradict others.
In the context of privacy regulation, the Organization for Economic Cooperation and Development (OECD) Privacy Guidelines were established to make these compliance problems a little easier to manage.
The OECD is an international organization that assists countries with environmental, economic and social challenges. It has been providing privacy guidance for years. The OECD Privacy Guidelines were developed as a global standard for data protection and privacy. They aim to limit the impediments to international data flows, while still upholding fundamental human rights. The OECD Privacy Guidelines act as a set of principles from which countries can build up their own privacy regulations.
While organizations aren’t required to abide by the OECD Privacy Guidelines, the guidelines do form a set of best practices that can be helpful for organizations as a base for their policies. Following the OECD Privacy Guidelines does not mean that your organization is automatically compliant with all international privacy regulations, but it does give a solid foundation. Expert legal advice will still be required to understand and comply with the complicated nuances of these varied international regulations.
The OECD Privacy Guidelines are made up of the following eight principles:
The collection limitation principle
The principle states that personal data collection should only be conducted within limits, and only in ways that are lawful and fair. It stipulates that personal data should only be collected with the knowledge and consent of the data subject.
The data quality principle
This states that personal data should be complete, accurate, relevant, and kept up to date.
The purpose specification principle
Personal data collection should be conducted with a specific purpose that is made clear to the data subject either at the time of data collection or beforehand. The data should only be used to fulfill these purposes.
The use limitation principle
When personal data is collected, it should only be used for the specific purposes that it was collected for. If an organization wishes to use it for other purposes apart from those that were initially stated, then the organization should seek out further consent from the data subjects.
The security safeguards principle
Reasonable security controls should be implemented to guard against unauthorized disclosure, use, modification or destruction of personal data.
The openness principle
Organizations that collect and process personal data should foster cultures of transparency and honesty surrounding how the data is used.
The individual participation principle
Data subjects should have a right to know whether a data controller has information that relates to them. They should be able to have the information communicated to them at a cost that isn’t excessive, as well as in a reasonable manner and time frame. The form should also be readily intelligible.
The accountability principle
Organizations that collect or process personal data should be accountable for complying with each of the principles listed above.
How can the OECD Privacy Guidelines help your organization?
By understanding and implementing these data privacy principles, your organization will have a solid basis from which to protect its users. Abiding by these principles will also give your organization a solid grounding that it can build on top of to meet the specific compliance obligations in the regions where it operates.
