GDPR wasn't the beginning and it certainly won't be the end. Strict data privacy legislation is appearing in more and more economies across the globe, meaning the list of “GDPR-free” havens is growing shorter by the day. CISOs and other data security executives at globally operating organizations will have no choice but to adopt a cross-regulatory compliance strategy in order to keep up. That is why Martin Kuppinger, Principal Analyst at KuppingerCole, lists cross-regulatory compliance among his top 5 topics for CISOs in 2019. Cross-regulatory compliance begins by determining in what ways data privacy regulations overlap in order to synergize compliance efforts.
To help you get started, here are five examples of countries who have adopted comparable data privacy laws:
Brazil – Brazil’s Lei Geral de Proteçao de Dados (LGPD) was modeled directly after GDPR and is nearly identical in terms of scope, applicability, and financial penalties for non-compliance. Companies wishing to do business with Latin America’s largest economy will have to comply with LGPD by February 2020 or be subject to fines of up to 50 million BRL (approximately 11.8 million EUR).
Australia – the Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act came into effect in February 2018. Organizations with an annual turnover of over 3 million AUD will have to disclose data breaches that pose a “real threat of serious harm” within 30 days of their discovery or faces fines of up to 1.8 million AUD (approximately 1.1 million EUR).
USA – while there is currently no data privacy law applicable to all industries on the federal level, every state in the Union has their own data privacy laws. These regulations vary significantly in terms of scope, applicability, and penalties, but the strictest among them is the recent California Consumer Privacy Act (CaCPA), which has many provisions that overlap with GDPR. California may be only one state out of fifty but, as California politicians love to point out, the State has a larger population and annual GDP than most countries in the world (before you ask, I do have a source to back that up), which means the market affected by CaCPA makes up a non-negligible part of not just the the US, but the global economy.
On the federal level, lawmakers on both sides of the aisle have introduced a slew of data privacy proposals in recent months. Whether any of these bills will actually become law remains to be seen, but it appears that momentum is building. Then there are even those in the tech industry who are requesting similar legislation in the US, including Apple CEO Tim Cook.
Japan – Japan's Act on Protection of Personal Information was amended in May 2017 and now applies to both foreign and domestic companies that process the data of Japanese citizens. Companies located outside of Japan will now be subject to the strict guidelines laid down in the Act.
More recently, Japan and the European Commission reached an agreement on "reciprocal adequacy" of their respective data protection laws. Japan has created a "white list" of EU companies that exercise sufficient caution when handling personal information, while the EU has created the same for qualifying Japanese companies. This also means that data subjects in the EU have recourse for violations of their data privacy rights by companies based in Japan and vice versa.
South Korea – Last but certainly not least is South Korea. For companies that process personal data of South Koreans, privacy standards on par with GDPR are nothing new. South Korea's Personal Information Protection Act has been in effect since September of 2011 and from the outset has included many GDPR-like provisions, including requirements for gaining consent, the scope of applicable data, appointment of a Chief Privacy Officer, and limitation and justification of data retention periods.
International economic organizations such as the Organization for Economic Co-operation and Development (OECD) and the Asia-Pacific Economic Cooperation (APEC) Forum have come up with their own data privacy guidelines regarding the transfer of personal data across borders. These guidelines help to create an international standard for data privacy and protection in order to facilitate international trade, but they are oftentimes more lax than the domestic laws of participating countries. This means that data security and compliance executives still have to come up with their own cross-regulatory compliance strategy that adheres to the stringent regulations in their target markets.