Beyond GDPR: Data protection around the world

​The introduction of the General Data Protection Regulation (GDPR) in 2018 was the first time such extensive legal provisions had been put in place surrounding the security of personal data. 

The GDPR means that 28 European countries now have strict laws and can impose heavy fines should a data breach happen.

But how is the personal data of individuals outside of Europe protected at a city and state level?  

We look at some of the regulations around the world that are helping to keep citizens' data secure.

The US at a federal and state level

The US does not have any centralized, formal laws in place at the federal level to protect the electronic transmission and storage of individuals' data to the extent of the GDPR. Still, some federal legislation does exist to protect data more generally. 

The devolution of power to the state-level means that several US states have passed their own data-related laws.

Some states are more active than others.  California, for example, has a long story of adopting privacy-forward legislation.  

The California Consumer Privacy Act (CCPA), which will become effective on January 1, 2020, will enhance privacy rights and consumer protection by giving residents in California the right to use the CCPA to know exactly what personal data is being collected, how it is being used and say no to the sale of their personal data to suitably protect themselves.  

The Act will also require businesses to make changes in support of these new rights.  


In Brazil, the General Data Protection Law, which will be enforceable in 2020, aims to supplement and replace the 40+ data privacy-related laws the country already has in place.

Not only will it supersede the existing laws, but it will also clarify any conflicts that have arisen between them.

Similarly to the GDPR, the regulation is extensive and will apply to all sectors of the economy. It clearly defines the concept of personal data, sensitive personal data, and public data and the liability surrounding any breaches.

The legislation applies to any company that serves the Brazilian market, whether it has offices in the country or not.

Organizations that fall under the scope of the law will be required to upgrade security measures, including the adoption of a Data Protection Officer, implementation of a security program, and development of incident response and remediation plan should a breach occur. 


Bahrain's Data Protection Law came into force in August 2019, superseding any existing data protection laws in Bahrain and making it the first country in the Middle East to introduce such a law.

The regulation provides individuals with rights concerning how their data is collected, processed, and stored. 

The future

The enforcement of the GDPR started a huge global shift for data privacy, creating political movements that demand more rights for data subjects, heavier penalties for companies, and governments regulating the new and rapidly advancing technologies that pose a threat to data security. 

More than 80 countries have now enacted privacy laws of this nature, as individuals, alongside state and federal governments, realize the importance of keeping their data safe and ensuring that when it is transferred or shared, it is done so securely. 

Related content: