Global data regulation is becoming more complex by the day, from the development of new regulations worldwide to seismic political shifts. This is precisely why companies doing business globally must stay on top of ever-changing global data protection regulations. To accomplish this feat, IT and business leaders will have to rely on cloud and SaaS platforms to keep data private and secure while driving digitization efforts.
Data protection and privacy legislation worldwide
Governments and industry regulators are struggling to keep pace with modern enterprises’ demands for data. Moreover, the public has been calling for greater transparency and security of collecting and processing sensitive data, putting increased pressure on legislatures to act. Organizations have been using, sharing, and storing data liberally for years despite serious data breaches occurring weekly and are currently collecting more data than ever, necessitating the push to pass and enforce data protection regulations.
The primary purpose of data protection regulations is to ensure no ambiguity about security and privacy expectations, the party responsible for the data, and the rights consumers have. Any violation of these regulations can result in highly publicized and serious fines, which are costly in themselves, irrespective of the financial loss from the resulting damage to a once trusted brand’s reputation. For this reason alone, compliance with global data protection and privacy laws has gone from an afterthought to a mandate among multinational companies.
Standard requirements of data protection laws
A key component of ensuring compliance with the many privacy regulations in existence is identifying the commonalities among them. These are typically the following:
- Privacy-minded culture – an organization should cultivate a privacy minded culture with the people tasked with regulatory compliance while promoting awareness and education about what is expected when handling data.
- Data protection – incorporating a data-centric security strategy that safeguards the organization’s data from vulnerabilities caused by human error, cyber-attacks, and breaches.
- Breach notification – many regulations require organizations to inform authorities and those whose data may have been compromised in the case of a data breach. Since breach prevention is almost impossible, the best safeguard is to protect the data itself in the event of a breach so that no exploitable information is disclosed.
By optimizing these three factors, organizations can drastically reduce compliance costs and time across multiple regulatory standards.
InCountry helps you be compliant with global data protection laws
Taking advantage of InCountry’s data residency services makes it possible to comply with regulations faster and expand internationally.
With InCountry, companies can store, process, and access data local for compliance in 90+ countries in real time. No matter what regulations, apps, or cloud environments exist in a country, InCountry helps companies store and process data locally with encryption.
With InCountry, you’ll spend less time on infrastructure and software and more time on your core customers and products. InCountry helps small and large software companies enter new markets and win more customers.
Integrating InCountry with your global applications will automate data residency. The developer-friendly SDK and API support complete or partial integration. With security in mind, InCountry integrates with applications to localize only what is required.
International data protection laws in 2021
Legislation on privacy and data protection has taken several major steps forward recently. The California Consumer Privacy Act (CCPA) came into force in January in the United States and the Court of Justice of the European Union (CJEU) determined in the Schrems II case that the European Commission’s adequacy resolution in regards to the EU-US Privacy Shield was invalid, effectively putting an end to free data flows between the United States and the EU.
The impact of these major developments will loom large in the data privacy landscape as 2021 continues, with the Schrems II ruling from the Court of Justice of the European Union demonstrating that transferring personal data outside of the European Union is not just a mere formality.
Several other countries will enforce or review their data privacy laws in 2021 as well. After Brexit, the UK lost its free data flow privileges in Europe, meaning the country will need to pass new regulations. Likewise, China is planning to adopt its first omnibus data protection law this year and is also planning to target cross-border transfers.
Brazil, after a series of setbacks and delays with its Lei Geral de Proteção de Dados (LGPD), Latin America’s first major data protection law, came into force in September 2020. Nevertheless, the government’s administrative sanctions are not expected to be implemented until August 2021. The Brazilian data protection authority, Autoridade Nacional de Proteço de Dados (ANPD), has an obligation to protect the sensitive personal information of Brazilian data subjects, so 2021 will be the test ground on how the LGPD will be enforced.
A new Personal Data Protection Act (PDPA) will come into effect in Singapore in the first half of 2021, including data breach notification requirements, an expansion of its deemed consent framework, exceptions for legitimate interests, and increased penalties for non-compliance.
What are some of the main countries with data protection laws?
The EU – new cross-border transfer regulations in 2021
Many European institutions appear to be committed to standardizing and regulating cross-border data transfers in compliance with the EU’s General Data Protection Regulation (GDPR).
The European Data Protection Board (EDPB) published draft directives in November 2020 for the rules businesses should adopt when transferring sensitive personal data from the European Economic Area (EEA) to outside nations.
A draft set of new Standard Contractual Clauses (SCCs) based on EDPB guidance was released by the European Commission, and a draft implementing it was also released. The two documents were updated to meet the requirements of the new GDPR.
These changes, combined with the Schrems II ruling, will affect many international companies that collect and process personal information of EU citizens, requiring stricter compliance requirements for cross-border data transfers.
China – GDPR response
In its first draft, the Standing Committee of the National People’s Congress of China published the Personal Information Protection Law (PIPL) for public comment on October 21st, 2020. This proposed law introduces strict practices for consumer data in China, but also has geopolitical implications.
As well as bringing together existing Chinese laws on data privacy, the PIPL also introduces several significant new elements to China’s protection of personal information, including steep fines, extraterritorial applicability, data protection officers, and new rules governing cross-border transfers.
China’s new PDPL aims to establish stricter controls over how user data is managed going forward, including the establishment of managing bodies and regular risk assessments for organizations seeking to access Chinese data. The PIPL will reinforce the new rights gained by data subjects residing in China, regardless of their nationality, such as the right to request their data be deleted or withdrawn from collection.
Companies processing a high volume of personal data will be required to appoint data protection officers. The processing of sensitive personal information across borders will also be subject to a threshold under the PIPL, with companies exceeding this threshold required to localize their data processing activities.
EU: the challenge of Brexit
GDPR has given businesses ample time to understand upcoming changes, but with the UK’s exit from the EU, the status quo will soon alter again. As a result of Brexit, the United Kingdom was legally declared a third party to all member states of the European Economic Area, which means the country needs to request an adequacy decision from the European Commission before data can be transferred freely again. This means businesses in the UK may have to work with partners in the EU to ensure compliance, though the exact details won’t be known until the New Year. During the transition period taken by the UK to leave the EU at the end of 2020, the GDPR will take effect and personal information will no longer flow freely between the UK and Europe. While the GDPR may no longer apply directly to the UK, its provisions were accepted into the UK’s national legislation through the Data Protection Act (DPA) in 2018.
Data Protection Laws Under Review in 2021
Australia’s Privacy Act
In response to ACCC’s Digital Platforms Inquiry report, the Australian Government announced on 12 December 2019 that they would review Australia’s Privacy Act 1988.
So far, the government has released an issues paper detailing and requesting feedback on the Privacy Act as well as other Australian laws protecting personal information. Proposals closed at the end of November, with the first draft of the review anticipated to be made public sometime in 2021.
Digital Charter Implementation Act (DCIA) in Canada
On November 17th, 2020, the Canadian Minister of Information, Science, and Economic Development presented the Digital Charter Implementation Act (DCIA), which if approved would replace Canada’s current data protection law and electronic transactions law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
DCIA would bring several noteworthy changes to privacy legislation in Canada, including the right for individuals to bring private suits and fines that could exceed General Data Protection Regulation levels. The DCIA will be studied by committees and be subject to consultations and hearings from stakeholders in 2021.
Privacy Shield and CCPA in the United States
As noted above, the EU Court of Justice’s decision to invalidate the EU-US Privacy Shield in July crippled a key transfer of data between the EU and US. The ruling cited the U.S.’s surveillance practices as well as its lack of a unified national data policy.
Although the Privacy Shield has been terminated, the court has validated and allowed another mechanism for transatlantic data transfers known as Standard Contractual Clauses (SCCs). The Data Controller is also required to assess whether countries receiving data have adequate privacy protections in place. Companies now must reassess their vendor relationships and implement new data transfer mechanisms to replace those that rely on the defunct Privacy Shield.
Partially in response to the GDPR, California passed its own data protection regulation, the California Consumer Privacy Act (CCPA).This policy gives Californians powerful new GDPR-style privacy rights, including the right to request data and to opt out of data collection.
In addition to its potential impact on thousands of businesses in the U.S. and abroad that do business with California, Proposition 24, which was on the ballot in California during the last U.S. election, has passed. Proposition 24 ensures California consumers have access to more safeguards when it comes to their personal data.
CPRA will amend the CCPA to give Californians additional control over their personal information and create additional obligations for business falling under the scope of the CCPA in November 2020. Despite the fact that most of the CPRA’s provisions will not take effect until July 2023, it is expected to trigger new legislation in other states or at the federal level.
Introduction of the LGDP in Brazil
Brazil became the latest country to implement GDPR-style data privacy regulations in September 2020 when their new data protection law went into effect. The LGPD applies both to foreign and domestic companies that process personal data in order to offer or provide goods and services in Brazil.
As the LGDP is similar to the GDPR with a few minor differences, companies that are already GDPR compliant should have no trouble adjusting to it.
Maintaining global compliance with data protection regulations – conclusion
In 2021, several notable privacy laws will begin to be enforced, and several others will fall in line with the new international standard set by the GDPR.
Transborder data transfers are likely to be one of the most significant compliance issues being addressed by legislative bodies and data protection authorities to ensure the regularization and normalization of data transfers between countries.
The good news is that despite the complexity of regulatory requirements around the world, most basic best practices can be used to meet compliance requirements.
For example, companies should start revisiting their data collection policies for 2021 and ensure they are gathering only data needed for business-as-usual activities. Additionally, firms should build customer consent into data collection practices. In addition to reducing management and reporting burdens, a smaller data footprint minimises security incidents.
Security also needs to be a leading priority in 2021, and companies must verify that they have strong security policies in place for any data being stored, processed, or transmitted. Besides utilizing anti-phishing and anti-malware software, it is also necessary to employ classification, encryption, and data loss prevention methods to protect data and identify and combat cyber threats.
Furthermore, organizations can take things a step further by incorporating Cyber Threat Intelligence (CTI) to proactively assess risks and vulnerabilities in different geographic regions and ensure they remain compliant as the dynamics of cybersecurity continue to change.