What is Privacy Compliance?

Privacy Compliance can be found in any country with privacy laws in place. Depending on the degree of scope of the laws, the amount of privacy operations necessary can be very different.

The key legislations in the world

While there have been well know legislations on privacy and data protection in some countries such as Germany, there hasn´t been a geographically wide and extensive privacy law such as the GDPR (General Data Protection Regulation). As we have seen from the last few years, this European law has shaped most of the developments in privacy laws all over the world. Besides it having the positive impact on privacy in general, its lighthouse effect has lead to many similar laws all over the world. From a standardization standpoint this is a good thing, as it reduces the costs for international companies who would have to comply with very different privacy laws. Now, in essence, each law his about two thirds as similar in provisions and main pillars as the GDPR while deviating in places such as the consent requirements or legal basis. Pillars such as the ROPA (Record of Processing Activities) or TOM (Technical and Organizational Measures) are mostly similar and allow for a standardization of such documentation.

 

Difference between Privacy and Data Protection

Different areas of the world use different wording. Therefore, we have to first define these to be able to have a common ground for discussion. In an European context, data protection is the compliance with the privacy laws and fundamental privacy rights of the EU. In a North American context, data protection is synonym for information security (especially the technical aspects of it) and therefore is often misunderstood when talking to Europeans. The US knows the European data protection as privacy compliance. In an European context, a data protection management system is the same as a privacy operations management system in the US context.

 

The trend

Many new privacy laws have been created worldwide in recent years. Most notably the following:

LGPD (Brazil)

Brazil’s new data protection law – the LGPD (Lei Geral de Proteção de Dados Pessoais) – replaces the fractured legal landscape in Brazil with an overarching regulatory framework.

It empowers individuals with a streamlined set of rights, rather than the partial protection of the sectoral laws, and it is shaped with great inspiration from the EU’s General Data Protection Regulation.

DSG (Switzerland)

The revised Swiss Data Protection Law was agreed upon in 2021 and will come into affect in 2021. It is mirrored after the GDPR, but also contains a “swiss finish”. In essence, the DSG contains most provisions such as ROPA, TOMs and Data Protection Officers but has one important difference. The swiss law allows the processing of data if done under certain principles whereas the GDPR forbids the processing of personal data without a legal basis.

Personal Information Protection Law (China)

On June 10, 2021, the Data Security Law of the People’s Republic of China (“Data Security Law” or this “Law”) was officially passed during the 29th session of the Standing Committee of the 13th National People’s Congress. This Law has been reviewed three times since June 2020 and came into force on September 1, 2021.

Interestingly, the approach to data processing is less on a legal argument and more on a moral and ethical standpoint. Article 28 stipulates that any organizations or individuals that carry out data processing activities and the research and development of new data technologies shall be conducive to promoting economic and social development, enhancing the well-being of the people, and complying with social morality and ethics.

In essence, it is necessary to conduct social morality and ethics review on data analysis and products designed by vendors in advance.

POPIA (South Africa)

The Protection of Personal Information Act (often called the POPI Act or POPIA) was enacted on 1 July 2020 and the one year grace period ended on 30 June 2021.

POPIA does not establish an explicit right to data portability, and it applies to juristic persons. In more nuanced areas, there are variations in what is defined as a special category of data, when data subject rights can be exercised, and how to respond to a data breach.

You also have to maintain a ROPA called PAIA manual. Deadline to do this is the 31.12.2021.

US Federal law

Currently many different states in the US are enacting their own privacy laws, such as California, Massachusetts, New York, Hawaii, Maryland, and North Dakota. We expect to see a new legislation coming on the horizon in 2022.

 

We have standardized on the core pillars, while allowing for local adaptation

Every organization has their applicable laws. We made it easy for you to select the ones applicable to you. Once selected, only the fields which are necessary to comply with the selected laws will appear in the interfaces .

Bedtime reading

Read more about Priverion.

  • This field is for validation purposes and should be left unchanged.
en_USEN