How to Navigate Global Data Privacy and Protection Laws

Friday, April 2, 2021

The General Data Protection Regulation rolled out in 2018 across Europe ushered in a new era of data privacy. After this rollout, other areas of the world follow suit creating their own version of data protection and privacy. 


California was quick to roll out the California Consumer Privacy Act (CCPA) in 2018 which caused many companies in the United States to take a hard look at their data security. Back in 2018, some companies were not as concerned as they took the approach of “we don’t directly do business with California, or have customers there so we don’t have to act now”. The other reason behind this thinking is that enforcement wouldn’t take place until 2020. 

Other companies took this more seriously and started reviewing their data privacy and governance to ensure they were in compliance sooner rather than later. 


Since then, other countries followed suit, but not until 2020. In September 2020, Brazil passed Lei Geral de Proteção de Dados, or “LGPD”. This legislation has a few key items to note that impact organizations if they:

  • Processes personal data in Brazil
  • Processes personal data that was collected in Brazil
  • Processes personal data to offer goods or services in Brazil

There are very similar rights to GDPR but unlike GDPR, LGPD “gives people a right to access information about those with whom an organization has shared the individual’s data”. This puts a greater onus on organizations to track this information in order to comply with this law. 


In October 2020, China set up its Personal Information Protection Law. Much of the compliance required is based on GDPR, but has an extra layer of stringency. If a company is looking to transfer any data out of China, it would have to first go through a security assessment by the Cyberspace Administration of China (CAC). Noncompliance could result in fines of RMB (Renminbi) 50 million (over $7.5M) or 5% of their prior year’s revenue.

The CAC falls directly under the State Council Information Office (SCIO) and is in charge of cyberspace security, internet content regulation, and online news reporting.


Next up, Canada rolled out the “Digital Charter Implementation Act, 2020”. A few of the basic provisions are: 

  • Provide individuals with “plain-language information” so they can make meaningful choices about their data.
  • Provide individuals control of how they “transfer their personal information from one organization to another”.
  • Allow individuals to “request that organizations dispose of personal information”.

Something I like about this is the "plain language" statement. A lot of times legal jargon can hide critical details and could easily be missed by organizations or individuals.

New Zealand

December 2020 saw New Zealand put the “New Zealand Privacy Act (2020)” in place which replaced the “Privacy Act 1993”. An interesting requirement for organizations is that they have 20 days to respond to individuals who have requested their information. Individuals can reach out to their privacy officer and lodge a complaint if organizations are in non-compliance.

Another interesting aspect is the "privacy officer". This is a role that the New Zealand government is looking for organizations to have in place for assistance in handling data privacy. This put the burden on organizations to ensure this role is made available and filled by well-qualified individuals.


In March 2021, Virginia signed the “Virginia Consumer Data Protection Act” into law. Some of the highlights of this law are:

  • Applicable to entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents.
  • Entities that control or process the personal data of at least 100,000 consumers during a calendar year.
  • Entities that control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.

As the newest kid on the block in this area, it will be interesting to see the impact on future laws put in place. GDPR set the example, but many others are adding in their own twist.

What’s The Impact On You?

As more and more countries and states put data privacy and protection laws into place, it becomes critical that your company has processes and applications in place for compliance. Many of these laws have varying fines or fees in place for non-compliance which are quite hefty. This means non-compliance could be detrimental to your organization if you don’t have something in place now.

More importantly, the processes you have in place should be routinely reviewed and updated to mitigate any potential risk. This requires a concerted effort and buy-in from all levels of your organization. If these aren’t in place, things could fall through the cracks and lead to non-compliance. 

Some SaaS applications have built-in GDPR or data protection/privacy features and capabilities to assist with compliance, but this doesn’t cover your full applications ecosystem. Any new layer of integration or application added, or new area for data to be stored should have a process or security measures in place.

Don’t fall behind! This era of data protection is going to continue to grow and will make waves around the world. Tighten up your resources, train people across your organization, and keep reviewing your processes.

Additional DAC Resources:


There are no comment yet, be the first to ask!