The General Data Protection Regulation, which took effect in May, has renewed interest in security spending. Gartner projects it will drive 65 percent of buying decisions related to data loss prevention by the end of the year. The focus of the regulation, known commonly as GDPR, is on citizens in the European Union. But its impact is becoming global.
US: Consumer Privacy Act
The United States is creating new laws inspired by the GDPR. The California Consumer Privacy Act of 2018 gives Californians similar rights as those enjoyed by EU citizens – specifically, the Data Subject Access Request (DSAR). In 2020, organizations that control or process personal data of US citizens will be obliged to provide any information about a client or employee upon request. Like the GDPR, California’s upcoming legislation does not require data subjects to have a physical presence in the state.
The Colorado legislature is considering passing a bill that would require entities to implement and maintain “reasonable security procedures and practices” to protect “personal identifying information” of Colorado residents. The bill seeks to also expand the definition of “personal information,” and proposes changes regarding breach notification timing.
Nationwide, the US Consumer Privacy Act will give companies 30 days to report a breach after it occurs. The European law, however, gives only a 72-hour window.
UK: Data Protection Bill
The United Kingdom is also joining the trend.
The UK Information Commissioner’s Office has noted that data protection and privacy are now at the top of public consciousness in the UK. The country has drafted a new Data Protection Bill to keep it on par with the GDPR after Brexit, when it is no longer a member of the European Union.
Australia: Privacy Act
Australia’s Privacy Act, like the GDPR, targets consistent privacy regulation across the nation and enforces a robust compliance mechanism. It seeks to facilitate the free flow of information outside Australian borders and ensures respect for individual privacy. These objectives stem from the Australian Privacy Principles, the first of which obliges data controllers to manage personal information in an “open and transparent way,” and to demonstrate compliance with all principles governing the act.
Despite key differences in aspects like breach notifications, reporting requirements, or the definition of “serious harm,” the GDPR and Australian data privacy regulations are a step in the same direction.
Mexico: Federal Data Protection Law
Mexico’s “Federal Data Protection Law Held by Private Parties” is almost indistinguishable from its European counterpart.
In a blog post for the International Association of Privacy Professionals, Miguel Recio, Master of Laws in Data Protection, wrote:
“Mexico, as the European Union, is living a vibrant moment in data protection. Accountability is key for robust and effective data governance, and data controllers in Mexico and the EU now share this principle,” he said.
Both the EU and Mexico now require data controllers to proactively demonstrate compliance with data privacy laws. Both have procedures in place to measure and respond to new technologies exposing users to risk. Both also require data controllers to adopt and implement technical and organizational measures to protect personal data.
Canada: Personal Information Protection and Electronic Documents Act
Not everyone is rushing to create a GDPR lookalike. Canada abides by the standards set by the Canadian Personal Information Protection and Electronic Documents Act. Yet Canadian companies handling data of EU citizens must obey the GDPR. This is because, unlike Canada’s local legislation, the European law protects EU residents’ personal data both inside and outside the Union’s boundaries.
Accountability, consent, reporting
The GDPR is changing the way business is conducted around the world. Its aim to provide a unified framework to protect data of EU citizens has not only prompted businesses worldwide to comply, it has also inspired some of the world’s biggest economies to create their own set of laws that match well against the GDPR, article for article.
And for those nations that have yet to create a GDPR replica, companies handling data of EU citizens have no choice but to adopt EU standards across key areas like Consent, Data Portability, Right to Erasure, and Data Breach Reporting.