After the lightning comes the rolling thunder; that’s what’s happened with data privacy laws worldwide. The implementation of GDPR came like a lightning bolt in 2018, with the following thunder being dozens of jurisdictions worldwide considering similar laws regulating how companies handle individuals’ private data in the years since.
For multinational enterprises, some of these regional data privacy laws being debated or proposed have important implications for data protection. Let’s look at how some local privacy laws – either proposed or newly enacted - could impact how companies handle and protect customers’ data.
India’s PDPB: As originally drafted, this legislation would require companies to process and store personal data about Indian citizens on a server located in India. A provision like this would make it critical for IT teams to be able to sort through terabytes and petabytes of data across on-premises, virtual, and cloud environments to detect personal data pertaining to customers in India and ensure it’s stored and backed up on data centers in India.
Singapore’s PDPA: The law requires companies to notify authorities within three calendar days if a data breach involving personal data has occurred. This is arguably more strict than GDPR, which specifies that a breach notification should happen “without undue delay.”
Brazil’s LGPD: This law, which became fully enforceable as of August, has a specific set of criteria that companies must meet as a justification for processing individuals’ personal data. This makes it imperative for IT teams to have complete visibility into what purpose sensitive data is being used.
Canada’s CPPA: One of the most important parts of this proposed legislation is the requirement that companies keep records of customers’ consents to use their personal data, in case of an audit or if a customer makes a request to withdraw their consent.
Thailand’s PDPA: This law, which took effect June 1, allows companies to continue processing personal data on Thailand citizens they collected before June 1, if they’re using the data for the same purpose. This means IT teams need to clearly understand the exact purpose and usage of any sensitive data they’ve collected and provide the means for citizens to withdraw their consent.
Virginia’s CDPA: Like California’s CCPA, this Virginia law will add further complexity when it takes effect Jan. 1, 2023. Businesses operating in Virginia or collecting data on Virginia residents will need an effective means to correctly tag and classify data covered under CDPA so that they can avoid fines for violations such as selling or using data.
China’s PIPL: This law, which takes effect Nov. 1, requires companies to limit their use of personal data to the “minimum scope necessary” to meet the goals of handling that data, and also need to get consent from individuals to transfer their data outside of China.
Many of these regional privacy laws broadly share similar features, with important local nuances. As jurisdictions implement new privacy laws, companies will need to continue to gain better insights and visibility into how they’re using data. It’s now a business imperative to take these measures:
As difficult as it may seem for enterprises to comply with so many evolving, jurisdiction-specific data privacy laws, the good news is that they’ve become a catalyst for a change in mindset. Companies are becoming smarter about what data they have and the risks involved. The end result will hopefully be fewer instances of companies suffering a data loss or experiencing a ransomware attack that puts customers’ data at risk.