Beyond GDPR: Data protection around the world

​The introduction of the General Data Protection Regulation (GDPR) in 2018 was the first time such extensive legal provisions had been put in place surrounding the security of personal data. 

The GDPR means that 28 European countries now have strict laws and can impose heavy fines should a data breach happen. But how is the personal data of individuals outside of Europe protected at a city and state level?  We look at some of the regulations around the world that are helping to keep citizens' data secure.

The US at a federal and state level

The US does not have any centralized, formal laws in place at federal level to protect the electronic transmission and storage of individuals' data to the extent of the GDPR, but some federal legislation does exist to protect data more generally. 

The devolution of power to state level means that a number of US states have passed their own data-related laws. Some states are more active than others.  California, for example, has a long story of adopting privacy-forward legislation.  The California Consumer Privacy Act (CCPA), which will become effective on January 1 2020, will enhance  privacy rights and consumer protection, by giving residents in California the right to use the CCPA to know exactly what personal data is being collected, how it is being used and say no to the sale of their personal data to suitably protect themselves.  The Act will also require businesses to make changes in support of these new rights.  


In Brazil, the General Data Protection Law, which will be enforceable in 2020, aims to supplement and replace the 40+ data privacy-related laws the country already has in place. Not only will it supersede the existing laws, it will also clarify any conflicts that have arisen between them. Similarly to the GDPR, the regulation is extensive and will be applicable to all sectors of the economy. It clearly defines the concept of personal data, sensitive personal data and public data and the liability surrounding any breaches. The legislation applies to any company that serves the Brazilian market, whether it has offices in the country or not. Organizations that fall under the scope of the law will be required to upgrade security measures, including the adoption of a Data Protection Officer, implementation of a security program and development of an incident response and remediation plan should a breach occur. 


Bahrain's Data Protection Law came into force in August 2019, superseding any existing data protection laws in Bahrain and making it the first country in the Middle East to introduce such a law. The regulation provides individuals with rights in relation to how their data is collected, processed and stored. 

The future

The enforcement of the GDPR started a huge global shift for data privacy, creating political movements that demand more rights for data subjects, heavier penalties for companies and that governments regulate the new and rapidly advancing technologies that pose a threat to data security. More than 80 countries have now enacted privacy laws of this nature, as individuals, alongside state and federal governments, are realizing the importance of not only keeping their data safe, but also ensuring that when it is transferred or shared, it is done so securely. 

Related content: A year in the life of GDPR